Empathy is not often associated with cybersecurity. Former Facebook chief security officer Alex Stamos made reference to this idea during his 2017 Blackhat Conference keynote, noting that "we have a real inability to put ourselves in the shoes of the people we are trying to protect," and encouraging security professionals to "have empathy for the people that use the technologies we build."
Unfortunately, as Stamos astutely noted, both security and software professionals tend to approach problem solving with an eye toward problems that are glamorous, complex, or sexy rather than ones that are most common or affect the largest number of users.
In reality, those with the most direct exposure to serious cybersecurity challenges are also the least prepared to handle them. Think of the frontline employees who are bombarded with phishing attacks, software updates, and deadlines around the work they're trying to accomplish. Or consider organizational executive leadership and boards, who often struggle to understand the mechanics and potential impact of today's cyber-risks.
Cybersecurity practitioners should heed Stamos' advice and work hard to empathize with "the people that use the technologies we build." Technology, ultimately, should serve those who use it and empower them to achieve more than they otherwise could. Empathic approaches to technology, people, and organizational processes are critical in building operations that are both secure and sustainable. Below are three specific examples where applying empathy can enhance security.
In recent years, third-party risk has become a pressing concern. Whether it is the torrid tale of Target's HVAC vendor or the NY Department of Financial Services Cybersecurity Requirements, third-party risk is under the microscope like never before. Empathy goes a long way toward giving security teams a deeper understanding of third-party risk because the risk hinges on both the security posture of the third party and the relationship with the external firm and service provided. It is important for cyber professionals to remember that every third-party engagement is chosen for a business reason, which must also be accounted for in the overall risk analysis.
For example, beyond the standard approach of asking what organizational data the third-party has, we must understand how critical these resources are to business operations. Does your organization have a plan to replace their functionality on short notice? What other elements of the relationship are at play (such as strategic partnerships, regulatory drivers, etc.)?
An approach that is exclusively technology-focused will almost certainly miss important elements that must be accounted for. Empathy helps round out the risk assessment and allow a more holistic risk-based decision to be made.
Phishing and Social Engineering Attacks
Business email compromise — the term for fraudulent emails designed to get corporate financial custodians to send money to bad actors under the guise of helping the CEO — is fundamentally an empathy issue. Attackers are leveraging psychological and organizational weaknesses to the tune of about $12.5 billion in profit. Adding empathy helps solve this security challenge in two specific ways involving policy and processes:
An open-door policy from executive leadership encourages employees to approach executives directly any time something doesn't feel right, or they want to check on the legitimacy of a request. This policy has the added benefit of generating interaction between leaders and engaged and aware employees.
A business process requiring confirmation with the CFO either in-person or via direct-dialed voice for any transaction over a certain threshold should also be encouraged. Instead of trying to respond as fast as possible for fear of looking inattentive, this practice would motivate employees to double-check such a request in a way that is difficult to spoof.
Penetration testing stands out as an example where technology solutions can be immensely enhanced by empathy. There are many software tools and platforms that perform automated scans, one-click exploits or other similar functionality. Indeed, utilizing a pre-configured penetration testing tool like Burp or Nessus is table stakes in 2018, and most organizations should already be performing this level of self-analysis.
A human-centered approach to this problem looks more like BugCrowd or HackerOne. According to a recent report from HackerOne, the humans powering their platform discovered and reported over 72,000 vulnerabilities (as of May 2018), with more than 27,000 of those discovered and resolved within the last year alone. While there's no doubt that these hackers are using technology tools to help them find vulnerabilities, it is the human element that creates effective penetration testing practices at scale.
Ultimately, the next "killer app" for cybersecurity won't be a matter of doing more, faster. Instead, we must empower humans to make better decisions — including those at the front desk all the way up to those in the corner office. The most effective thing we can do as security professionals is double down on the human element and develop empathetic solutions to these fundamentally human problems.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.