Careers & People

7/5/2017
10:30 AM
Tom Pendergast
Tom Pendergast
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Avoiding the Dark Side of AI-Driven Security Awareness

Can artificial intelligence bring an end to countless hours of boring, largely ineffective user training? Or will it lead to a surveillance state within our information infrastructures?

Like many, I'm genuinely excited for the emerging influence of artificial intelligence, or AI. I love it on my smart devices, when I shop, and (in limited form) in my car. But I'm most pumped about what it could bring to the difficult and too often tedious task of educating humans about the risks they pose through their mishandling of information and their exposure of the organization to cybercrime. I'm optimistic that AI may kill old-school security awareness, where we subject an entire employee population to long, boring, required training.

With the right data and intelligent processing, we could place employees within a smart matrix where the very systems they use to interact with information — I'm talking browsers, Outlook, cloud storage — could also provide them with short, individually targeted units of instruction in just the right dose for the risks that they manifest. All it will take is the full integration of smart IT infrastructure with a modular matrix of risk-based content. What could possibly be the problem?

The Problem
"I'll tell you what’s the problem, Tom," my contrarian friend Konrad said when I presented him with my rosy depiction of the future:

"Do you think I really want the computers watching everything I'm doing and then telling me what I need to know, like some nasty old school teacher looking over my shoulder and telling me what I should do to get the answer right? And then that same teacher writes home to my mother to tell her where I've gone wrong or maybe keeps me after school for detention. I'll take death by PowerPoint to living in a surveillance state, thank you very much."

The sobering truth is that if we don't watch out, we will create a surveillance state within our information infrastructure. We will have the capacity to recognize employee's flaws and peculiarities in ways that feel invasive and creepy (though we certainly recognize and identify such problems today already). We will have the capacity to individualize instruction and reminders in ways that may feel like we know what people are thinking about doing before they do it. ("Tempted to click that link Tom? I can see why: it looks much like the legitimate links you often click on. But take a closer look.…" You get the idea).

An (Automated) Helping Hand
Remember Clippy, the first generation of digital "helper" that Microsoft introduced years ago? It didn't work. Clippy tried too hard to be cute and he often didn't know what you needed.

But the next generations of contextual helpers have gotten better and better. I suspect we'll see a natural evolution of AI-driven security awareness training into forms that don't feel much like training at all, but instead feel like useful advice offered in the service of protecting us (and by extension the organization) from mistakes.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

If we do it right (and now I'm situating myself as part of the "we" that will be producing the next generation of content), we'll provide interactions that are amusing and relevant and cued up not just to the mistake you may have been about to make, but also to your own personal preferences for how you like to consume your learning. Maybe my curmudgeonly friend Konrad gets a bulleted to-do list, while humor-loving Zack gets a quick animated cartoon. After all, these same systems that identify your incipient mistakes are also capable of learning your personal preferences and configuring learning experiences that don’t irritate you.

There's a lot to figure out here, and those of us in the security awareness business have only just begun. Experiments in microlearning and reinforcement in a variety of different styles point us in the right direction, but we’re still waiting for behavioral analytics tools to become more widely dispersed and for more people to get wise to the fact that their employees don’t have to endure boring annual training (with its countless wasted hours).

But I do believe that AI-driven security awareness is inevitable, and that we don't really have a choice (Sorry, Konrad!) when it comes to preventing our work systems from understanding us in the same ways that our cars and devices and stores understand us already. Given that we understand the risks correctly, it's up to us to make sure that learning to protect data with the help of AI is the enjoyable experience that it can be — and not the dark prison that some of us fear.

Tom Pendergast, Ph.D., is the chief architect of MediaPro's Adaptive Awareness Framework, a vision of how to analyze, plan, train and reinforce to build a comprehensive awareness program, with the goal of building a risk-aware culture. He is the author or editor of 26 books ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15607
PUBLISHED: 2018-08-21
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote atta...
CVE-2018-14795
PUBLISHED: 2018-08-21
DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable due to improper path validation which may allow an attacker to replace executable files.
CVE-2018-6692
PUBLISHED: 2018-08-21
Stack-based Buffer Overflow vulnerability in libUPnPHndlr.so in Belkin Wemo Insight Smart Plug allows remote attackers to bypass local security protection via a crafted HTTP post packet.
CVE-2018-14793
PUBLISHED: 2018-08-21
DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable to a buffer overflow exploit through an open communication port to allow arbitrary code execution.
CVE-2017-17305
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a Bleichenbacher Oracle vulnerability in the IPSEC IKEv1 implementations. Remote attackers can decrypt IPSEC tunnel ciphertext data by leveraging a Bleichenbacher R...