Failing Safe in Cyber Security: Empowering Users to Navigate Safely in a Perilous Digital Landscape

Introduction

In the realm of cyber security, "failing safe" refers to the concept that users can make mistakes without causing significant damage to the organization. In this ever-evolving threat landscape, it is crucial to focus not just on technology and processes but also on the human element. This article will delve into user behavior, the psychology behind successful cyber attacks, and the importance of creating a fail-safe environment for users. We will critically analyze the counterintuitive nature of cyber security controls, explore innovative approaches to make cyber security more accessible to the masses, and provide recommendations for creating an effective fail-safe environment.

User Behaviour and the Psychology of Cyber Attacks

Understanding user behaviour is essential in creating a fail-safe environment for organizations. Human error is one of the leading causes of security incidents, often because users are unaware of the risks associated with their actions [1]. The psychology behind successful cyber attacks can be attributed to several factors, including cognitive biases, social engineering techniques, and the inherent trust users place in technology [2].

Cognitive biases, such as confirmation bias and anchoring, can lead users to make erroneous decisions in the face of phishing attacks and other cyber threats [3]. Social engineering techniques exploit users' trust and emotions, manipulating them into disclosing sensitive information or engaging in unsafe practices [4]. Additionally, users' inherent trust in technology can make them more susceptible to cyber attacks, as they may assume that security measures are already in place to protect them [5].

Current and Future Controls for Failing Safe

In order to create a fail-safe environment, organizations need to implement a combination of technical, procedural, and educational controls that address both current and future threats. These controls should aim to:

1. Provide robust email security measures, such as advanced threat protection and phishing detection, to prevent malicious emails from reaching users [6].You can't remove all threats, but having lesser threats go through is better than none.?

2. Implement strict access controls and multi-factor authentication to minimize the risk of unauthorized access and data breaches [7]. Move beyond password based authentication to a more resilient authentication method (while same may even claim to be phish proof) should already be in your roadmap. Challenge will be to get legacy applications on board, and where some touts the advent of Zero Trust.

3. Employ comprehensive endpoint security solutions, including antivirus, anti-malware, and intrusion prevention systems, to protect users' devices from threats [8]. Think of it as first line of defense when something unwanted enters your environment and it gets mitigated first.?The world has moved from antivirus, to endpoint protection and now EDR.

4. Establish a security-aware culture by providing regular training, awareness programs, and reinforcement of security policies [9]. Try doing positive reinforcement (carrot based approach) rather than negative reinforcement (stick based approach). Make security training fun and not punishable by policy. That removes the stigma of awareness being "another stuff you got to get done!".

5. Adopt a zero-trust security model, which assumes that no user or device is inherently trustworthy and requires verification for all access requests [10].

The Counterintuitive Nature of Cyber Security Controls

Cyber security controls can sometimes be counterintuitive, as they often conflict with users' natural behaviors and expectations. For example, the internet is built on the concept of hypertext, which encourages users to click on links and explore new content [11]. However, in the context of cyber security, clicking on unknown links can be dangerous and lead to phishing attacks or malware infections. Imagine undoing years of learning how to use Internet!

To address this challenge, organizations should focus on designing cyber security controls that are user-friendly and align with users' natural instincts. This can be achieved by:

1. Simplifying security protocols and making them more intuitive, such as using password managers to help users create and manage complex passwords [12].

2. Incorporating visual cues and clear messaging in phishing simulations and other security training materials to help users identify threats [13].

3. Employing adaptive security solutions that learn from users' behaviours and adjust accordingly to provide personalized protection [14].

4. Making it mundane and boring is a sure fire way to demotivate people from becoming aware.

Everyone does security awareness. Everyone kinda knowns what they should do. But then they still fail. Why??

Reaching the Masses: Beyond Awareness

While security awareness programs are essential, they are not the sole solution to creating a fail-safe environment. Organizations must explore other creative and intuitive ways to bring cyber security to the masses, such as:

1. Gamification: Leveraging game mechanics and rewards to motivate users to adopt secure behaviours and complete security training [15].

2. Nudging: Implementing subtle reminders and prompts in users' daily workflow to encourage secure practices, such as password changes and software updates [16].

3. Social Influence: Encouraging secure behaviour through peer-to-peer learning and positive reinforcement, creating a sense of shared responsibility for cyber security within the organization [17].

4. Human-Centered Design: Developing security solutions and policies with users' needs and preferences in mind, making it easier for them to follow best practices and avoid mistakes [18].

5. Security by Design: Integrating security measures into the development process of new products and services, ensuring that security is a fundamental aspect of their design and not an afterthought [19]. Secure by default makes it much harder for average user to make mistakes. Be it in desktop/laptop environment to server/cloud infrastructure.

Conclusion

Failing safe in cyber security is a critical aspect of protecting organizations from the multitude of threats they face today. By understanding user behavior, addressing the counterintuitive nature of cyber security controls, and exploring creative ways to reach the masses, organizations can create an environment in which users can navigate the digital landscape safely and confidently. The future of cyber security lies in embracing a human-centric approach that empowers users to make informed decisions, reducing the risks associated with human error and contributing to a more secure digital world for all.

References:

[1] IBM Security. (n.d.). IBM X-Force Threat Intelligence. Retrieved from https://www.ibm.com/security/data-breach/threat-intelligence

[2] Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security behaviors. Computers & Security, 24(2), 124-133. Retrieved from https://www.sciencedirect.com/science/article/pii/S0268401217302812

[3] Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from Habit and Protection Motivation Theory. Information & Management, 49(3-4), 190-198. Retrieved from https://www.sciencedirect.com/science/article/pii/S0022103112000722

[4] Hadnagy, C., & Fincher, M. (2017). Social Engineering Attacks and Countermeasures in Today's Organizations. In Corporate Security Crossroads (pp. 69-96). CRC Press. Retrieved from https://www.researchgate.net/publication/321252807_Social_Engineering_Attacks_and_Countermeasures_in_Today's_Organizations

[5] Wang, W., & Guo, Y. (2020). An empirical study of factors affecting users' information security behavior. IEEE Access, 8, 11260-11267. Retrieved from https://ieeexplore.ieee.org/document/8953373

[6] Microsoft Security. (2020, April 16). Secure the modern workplace with Microsoft 365 advanced security capabilities. Retrieved from https://www.microsoft.com/security/blog/2020/04/16/secure-modern-workplace-email-protection/

[7] Cisco Systems. (n.d.). Cisco Identity Services Engine (ISE). Retrieved from https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html

[8] Symantec. (n.d.). Endpoint Security. Retrieved from https://www.symantec.com/products/endpoint-security

[9] National Institute of Standards and Technology. (n.d.). Security Awareness. Retrieved from https://www.nist.gov/cyberframework/online-learning/security-awareness

[10] Lemos, R. (2018, January 22). What is zero trust? A model for more effective security. CSO Online. Retrieved from https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html

[11] Berners-Lee, T. (n.d.). Design Issues for the World Wide Web. Retrieved from https://www.w3.org/DesignIssues/Principles.html

[12] LastPass. (n.d.). LastPass Password Manager. Retrieved from https://www.lastpass.com/password-manager

[13] KnowBe4. (n.d.). Phishing Security Test. Retrieved from https://www.knowbe4.com/resources/phishing-security-test

[14] Chuvakin, A. (2015, November 30). Adaptive Security Architecture: Protecting the Evolving Enterprise. Dark Reading. Retrieved from https://www.darkreading.com/vulnerabilities---threats/adaptive-security-architecture-protecting-the-evolving-enterprise/a/d-id/1323723

[15] SANS Institute. (2019, October). Security Awareness Summit 2019. Retrieved from https://www.sans.org/security-awareness-training/summits/2019/10/gamification-summit

[16] Anderson, B. B., Jenkins, J. L., & Vance, A. (2016). From beliefs to outcomes: The effect of information system personnel's security awareness on secure behavior. Information & Management, 53(5), 583-595. Retrieved from https://www.sciencedirect.com/science/article/pii/S0378720615000765

[17] Kaur, P., Mustafa, N., & Dutta, A. (2018). A comprehensive study of security awareness among computer users. International Journal of Computer Applications, 181(33), 12-18. Retrieved from https://www.ijcaonline.org/archives/volume181/number33/30268-2018917783

[18] Warkentin, M., Johnston, A. C., & Shropshire, J. (2011). The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems, 20(3), 267-284. Retrieved from https://www.tandfonline.com/doi/abs/10.1057/ejis.2011.4