This post muses briefly that cybersecurity is as much a people problem as it is a technology problem. The research field and marketplace is flooded with both novel and useless technologies, so it is worth stepping back to ask if we are investing our time and resources appropriately. Cybersecurity problems grow in scope, magnitude, and effect as networked and mobile technologies proliferate and migrate down into every day devices. But we see the same types of human errors and misjudgments over time and across new generations of technologies. If we want things to change for the better, we need to address the psychology of cybersecurity and improve awareness and education among users.
Balancing convenience and security
People expect technology to just work, and developers make that happen by abstracting away unnecessary complexity. Apple was remarkable effective in making things as simple as possible to make users happy and productive with their products. Effective simplicity – convenience – is a requirement that is in fundamental tension with a technology’s security.
In an idea world, designers, developers and users would understand and expect convenience and security to be in perfect balance. We would accept some inconvenience and responsibility to ensure the devices and services we use are harder to attack and exploit.
This is oftentimes not the case. Products and online services are usual out of balance, and convenience is the winner. Long complex passphrases are less convenient than short passwords (or no password at all). A wifi router’s administrative password is hidden away from a user so that they can just plug the device in an use it with minimal configuration. Two-factor authentication is optional.
We will continue to see increases in magnitude and frequency of vulnerabilities and attacks as long as convenience trumps security in the design and implementation of our digital products.
We are our own worst enemy
In 2016, why do we continue to see the following behaviors and trends?
Phishing attacks continue to increase. The APWG, a global industrial coaltion against cybercrime, reports phishing attacks shattered all records in Q2 2016. Ransomware is the dark threat looming, and APTs continue to infect critical and enterprise networks. Both threats are typically initiated by phishing attacks.
Why do phishing attacks continue to increase? Simply, because they work. And they work because users are not adequately trained and made aware of them. We have reached a point, or are close to it, where more anti-phishing technology is useless. Perhaps, we should treat phishing attacks as a public health epidemic, and respond publicly as we did to Ebola and Zika virii outbreaks.
In an informal and absolutely unscientific survey, most people continue to utilize weak passwords shared across services and devices.
Replacing password for authenticating users would be a monumental undertaking, but making authentication technology more secure and cost effective is not. Two-factor authentication along with stronger unique passphrases is an effective defense-in-depth (SMS phase-out notwithstanding). They may not be perfect security, but they create enough delay and frictional force to make the hacker’s job more difficult.
NIST’s Special Publication 800-63-3: Digital Authentication Guidelines is a good start to injecting more common sense into digital authentication (who remembers their second grade teacher’s name?) The public needs better guideline and rules for composing strong passphrases in the first place. And those guidelines and rules need to be based on solid principles of cognitive psychology and memory, not just the computational complexity of cracking passwords. How can we make complex random-looking passphrases easy for humans to remember but computational difficult for hackers to crack? Have we fully explored technologies like CAPTCHAs?
People are scared to update their computers and mobile devices because they have personal experience with things not working afterwards. We know older software breaks down. New system-wide DLLs introduce backward incompatibilities. File locations change. System-wide metadata becomes corrupted. These are technical sources of psychological fear of system and application upgrades and updates. People put it off because they expect things to break. They have been conditioned to lose data and device availability when a dialog box pops up on their phone announcing an update is ready for installation.
Thanks Microsoft. And Apple.
Defense in depth is really just common sense
When I explain the defense in depth principle to people in terms of their homes, they get it. They have door locks, window locks, a security monitoring system, perhaps an iron gate, and hopefully a dog. They understand how all of these things work together to protect their homes from intruders. Some are detection-based (home sensors and dogs), others are prevention systems (locks and gates).
But I have found if you ask normal users to name detection and prevention mechanisms on their digital devices and services, they do not have a clue. They know they might have anti-virus software … isn’t that good enough? When I ask them to generally consider how detection and prevention mechanisms might work on, say, their laptop, they nail it. Find bad email and show an alert. Tell me if a web page or online content is bad (in the cybersecurity sense). Keep hackers from reading my financial information when I use my bank’s website.
This is an opportunity to teach users, and it is also an indication that the cybersecurity community is continuing to fail the public. Why? Perhaps the reason was introduced at the beginning of this musing: convenience trumps security. Perhaps the mechanisms are still too technically arduous and confusing. Perhaps we have not considered that cybersecurity is on par with public health issues in promoting the common good. I think it is a combination of all three.
I am not a psychologist, but I have come to appreciate the role of psychology during my career in technology and cybersecurity. It is an appreciate born from the frustrations of seeing the same vulnerabilities, threats, and attacks during each new technology cycle. We continue to make the same mistakes and hackers continue to reap the rewards. Maybe new technological approaches to thwarting our cyberadversaries would benefit greatly from a better understanding of ourselves.
Copyright © 2016 John Zachary