Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

7/5/2017
10:30 AM
Tom Pendergast
Tom Pendergast
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Avoiding the Dark Side of AI-Driven Security Awareness

Can artificial intelligence bring an end to countless hours of boring, largely ineffective user training? Or will it lead to a surveillance state within our information infrastructures?

Like many, I'm genuinely excited for the emerging influence of artificial intelligence, or AI. I love it on my smart devices, when I shop, and (in limited form) in my car. But I'm most pumped about what it could bring to the difficult and too often tedious task of educating humans about the risks they pose through their mishandling of information and their exposure of the organization to cybercrime. I'm optimistic that AI may kill old-school security awareness, where we subject an entire employee population to long, boring, required training.

With the right data and intelligent processing, we could place employees within a smart matrix where the very systems they use to interact with information — I'm talking browsers, Outlook, cloud storage — could also provide them with short, individually targeted units of instruction in just the right dose for the risks that they manifest. All it will take is the full integration of smart IT infrastructure with a modular matrix of risk-based content. What could possibly be the problem?

The Problem
"I'll tell you what’s the problem, Tom," my contrarian friend Konrad said when I presented him with my rosy depiction of the future:

"Do you think I really want the computers watching everything I'm doing and then telling me what I need to know, like some nasty old school teacher looking over my shoulder and telling me what I should do to get the answer right? And then that same teacher writes home to my mother to tell her where I've gone wrong or maybe keeps me after school for detention. I'll take death by PowerPoint to living in a surveillance state, thank you very much."

The sobering truth is that if we don't watch out, we will create a surveillance state within our information infrastructure. We will have the capacity to recognize employee's flaws and peculiarities in ways that feel invasive and creepy (though we certainly recognize and identify such problems today already). We will have the capacity to individualize instruction and reminders in ways that may feel like we know what people are thinking about doing before they do it. ("Tempted to click that link Tom? I can see why: it looks much like the legitimate links you often click on. But take a closer look.…" You get the idea).

An (Automated) Helping Hand
Remember Clippy, the first generation of digital "helper" that Microsoft introduced years ago? It didn't work. Clippy tried too hard to be cute and he often didn't know what you needed.

But the next generations of contextual helpers have gotten better and better. I suspect we'll see a natural evolution of AI-driven security awareness training into forms that don't feel much like training at all, but instead feel like useful advice offered in the service of protecting us (and by extension the organization) from mistakes.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

If we do it right (and now I'm situating myself as part of the "we" that will be producing the next generation of content), we'll provide interactions that are amusing and relevant and cued up not just to the mistake you may have been about to make, but also to your own personal preferences for how you like to consume your learning. Maybe my curmudgeonly friend Konrad gets a bulleted to-do list, while humor-loving Zack gets a quick animated cartoon. After all, these same systems that identify your incipient mistakes are also capable of learning your personal preferences and configuring learning experiences that don’t irritate you.

There's a lot to figure out here, and those of us in the security awareness business have only just begun. Experiments in microlearning and reinforcement in a variety of different styles point us in the right direction, but we’re still waiting for behavioral analytics tools to become more widely dispersed and for more people to get wise to the fact that their employees don’t have to endure boring annual training (with its countless wasted hours).

But I do believe that AI-driven security awareness is inevitable, and that we don't really have a choice (Sorry, Konrad!) when it comes to preventing our work systems from understanding us in the same ways that our cars and devices and stores understand us already. Given that we understand the risks correctly, it's up to us to make sure that learning to protect data with the help of AI is the enjoyable experience that it can be — and not the dark prison that some of us fear.

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23281
PUBLISHED: 2021-04-13
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to ro...
CVE-2021-27598
PUBLISHED: 2021-04-13
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
CVE-2021-27600
PUBLISHED: 2021-04-13
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored ...
CVE-2021-27601
PUBLISHED: 2021-04-13
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attac...
CVE-2021-27602
PUBLISHED: 2021-04-13
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the sour...