Since Kevin Mitnick said it in 2002, we have been regularly told that the human element is the weakest link in information security.
The statistics around behavior, policy and awareness are shocking. According to Databarracks’ Data Health Check 2015 survey of UK IT professionals, 24% reported human error as a source of data loss in the previous year, while Protiviti’s 2015 IT Security and Privacy Survey reports that 33% of companies in North America have no policies for information security.
Overall, this is an insecure environment, to put it mildly. With some lessons in cyber-psychology, the human element can be transformed from information security’s weakest link to its keystone.
What exactly is Cyber-Psychology?
Cyber-psychology as a discipline is concerned with the interaction of the mind and behavior with various forms of information communication technology. Not only email, the internet and social media, but also virtual reality, gaming and smart devices.
In practice, what this boils down to is understanding how people experience technology. Here’s an example. Your co-worker has a new haircut. It might be nice to compliment them. You could mention it in the office. You could send them a text message. You could write on their Facebook profile. You could even leave a note on the windscreen of their car!
From data perspective, in each case you would have transmitted the same content. But understanding the connotations of different communication media, and choosing the most appropriate one, is the essence of cyber-psychology.
In functional terms for security professionals, consider policy compliance. Let’s say there’s been a change to your organization’s policy. What is the best way to communicate this? More often than not, this will be done by email, but is this really the most effective method? Like, if you really want people to change their behavior, is sending a whole staff mail the best way to effect change? The medium is the massage is the first lesson in cyber-psychology.
But the second lesson is equally important. To go back to the note on the windscreen on the car idea, you could equally say that your choice of medium depends on who you are communicating with, and you’d be right. Psychology is concerned with the rich variety in human behavior and as such, cyber-psychology is about appreciating that in the context of information technology.
To have resilient security practices, we need to have compliance from the CEO to the temp contractor. As such, cyber-psychology means going beyond the ‘end user’, to appreciating that real people differ by age, gender, experience, personality, culture, and of course salary.
Cyber-psychology also involves appreciating that what happens on the internet is somewhat different to what happens ‘in real life’, but also that what happens on the internet is real life too – a few classic concepts will illustrate the point.
Firstly, the internet is designed to make communication effortless, so we should feel totally immersed in it. This is what is known as telepresence. Your average employee is likely unaware of the vast amount of calculations required to allow them log onto work email from their smartphone via public wifi. That’s job well done for the engineers, but it represents a significant job of work for the CISO.
Because employees are oblivious to the systems behind the illusion, they are don’t know how risky it could be. Cybersecurity awareness necessitates breaking the illusion of telepresence.
Secondly, anywhere up to 90% of the visitors to any online forum will read but not participate to any noticeable degree. This is lurking. Consequently, when an employee is on an enterprise system, unless someone is interacting with them, they assume they are invisible. This is where insider threats slip up – they don’t think anyone is watching. But for the CISO the question is how much visibility they have of their internal network. Cybersecurity management requires sight of what is assumed to be invisible.
Thirdly, in the traditional philosophy of the internet, everyone is equal, and there is no central control. This is known as minimization of status. It is almost impossible to get people on the internet to do anything through authority: they will simply resist for sheer entertainment value, if nothing else.
Key example: no PR hashtag campaign has succeeded without being hijacked. The upshot of this is that attempting to consolidate discipline within an information technology context is difficult. Cybersecurity compliance requires controlling that which was designed to resist authority.
What are the advantages of it in today’s business environment and why is it needed?
There are solutions to these problems. A cyber-psychology-informed information security management process would represent a significant boon in tackling the human element. What would it look like? It would comprise at least the following three essential elements:-
Emotional persuasion – we need more hearts and minds, less fear and conformity. This is about regular, varied and ongoing education. People, unlike machines, do not often change behavior in line with logical information: they need PR and propaganda. The information security team needs to make friends with the human resources and people ops teams.
Distributed leadership – allow teams to develop their own individual policies. Just because you can’t have centralized control, doesn’t mean you can’t have control. Delegate information security decisions downward and outward to create independent modules of resilience.
Network citizenship – CISOs want total visibility of internal networks. But in practice this is impossible, so get your network members to help. Besides being engaged with information security, they will also need straightforward reporting mechanisms.
What are the likely challenges in seeing it rolled out among firms – are there any vertical industries in which it is needed most/be more readily adopted?
The major psychological problem in cybersecurity circles right now is excessive hype, which is heavily fear-focused. Consequently, users resort to neutralization: blocking out messaging and pretending it doesn’t matter, when they should be engaging with information security and talking about it openly.
Inevitably there will be challenges to rolling out such cyber-psychology-informed policy. The ‘sheep dip’ model of awareness (half a day once a year for all staff) ticks the box for many line managers. As we know, this model is not going to have much effect on workplace culture. No matter how good the half-day is, it can be easily undone by one senior member of staff soon after being seen to circumvent new policy. Monkey see, monkey do - then everyone else will simply continue on as normal.
Anything more than the sheep-dip would be to admit that there is a bigger problem. However, cyber-psychology teaches us that in such instances, there probably is a bigger organizational problem at play.
Conway’s law, a curious software design principle from the 1960’s, states that organizations which design systems inevitably end up making systems which look like their own internal communication systems. You will probably end up with a security policy which is reflects your organization’s communications structure.
Consequently, if your organization’s internal communications structure is malfunctioning then your information security policy will show this and similarly malfunction. It is worthwhile stressing this at senior level: if your information security policy is poor, it reflects poorly on your corporate structure.
What are the direct benefits of adopting a cyber-psychology-informed policy and how can these be articulated the across your organization?
The ‘human element’ of information security was also mentioned in last year’s Europol IOCTA report, which noted an increasingly more aggressive and confrontational cybercrime environment. The only way forward in such an environment is for greater collaborative efforts, more horizontally across sectors and more bottom-up within corporate structures.
Businesses which are capable of aligning their corporate goals with their information security policies are most likely to succeed through the next decade. Industries in which this is most likely to succeed are naturally the technology, telecoms, financial and media sectors. Although any organization which is committed to original thinking will see the value in developing an information security culture like I’ve outlined above.
Thanks to several high-profile breaches, ‘we take security very seriously’ was the top meaningless cliché of 2015. It will not hold water for much longer – the public and their representatives will soon start asking for better data integrity practices.
What does security mean in daily working life? The organizations which manage to instill in their employees the importance of information security: that they have taken serious educational steps to address information security will have a significant edge in time to come, as it is clear that cybercrime continues to be profitable.
Fundamentally, information security culture will become a part of an organization’s demonstrated commitment to corporate social responsibility – along with issues like human rights, environmental responsibility and community development.