Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Shay Colson
Shay Colson
Connect Directly
E-Mail vvv

Empathy: The Next Killer App for Cybersecurity?

The toughest security problems involve people not technology. Here's how to motivate your frontline employees all the way from the service desk to the corner office.

Empathy is not often associated with cybersecurity. Former Facebook chief security officer Alex Stamos made reference to this idea during his 2017 Blackhat Conference keynote, noting that "we have a real inability to put ourselves in the shoes of the people we are trying to protect," and encouraging security professionals to "have empathy for the people that use the technologies we build."

Unfortunately, as Stamos astutely noted, both security and software professionals tend to approach problem solving with an eye toward problems that are glamorous, complex, or sexy rather than ones that are most common or affect the largest number of users.

In reality, those with the most direct exposure to serious cybersecurity challenges are also the least prepared to handle them. Think of the frontline employees who are bombarded with phishing attacks, software updates, and deadlines around the work they're trying to accomplish. Or consider organizational executive leadership and boards, who often struggle to understand the mechanics and potential impact of today's cyber-risks.

Cybersecurity practitioners should heed Stamos' advice and work hard to empathize with "the people that use the technologies we build." Technology, ultimately, should serve those who use it and empower them to achieve more than they otherwise could. Empathic approaches to technology, people, and organizational processes are critical in building operations that are both secure and sustainable. Below are three specific examples where applying empathy can enhance security.

Third-Party Risk
In recent years, third-party risk has become a pressing concern. Whether it is the torrid tale of Target's HVAC vendor or the NY Department of Financial Services Cybersecurity Requirements, third-party risk is under the microscope like never before. Empathy goes a long way toward giving security teams a deeper understanding of third-party risk because the risk hinges on both the security posture of the third party and the relationship with the external firm and service provided. It is important for cyber professionals to remember that every third-party engagement is chosen for a business reason, which must also be accounted for in the overall risk analysis.

For example, beyond the standard approach of asking what organizational data the third-party has, we must understand how critical these resources are to business operations. Does your organization have a plan to replace their functionality on short notice? What other elements of the relationship are at play (such as strategic partnerships, regulatory drivers, etc.)?

An approach that is exclusively technology-focused will almost certainly miss important elements that must be accounted for. Empathy helps round out the risk assessment and allow a more holistic risk-based decision to be made.

Phishing and Social Engineering Attacks
Business email compromise —  the term for fraudulent emails designed to get corporate financial custodians to send money to bad actors under the guise of helping the CEO —  is fundamentally an empathy issue. Attackers are leveraging psychological and organizational weaknesses to the tune of about $12.5 billion in profit. Adding empathy helps solve this security challenge in two specific ways involving policy and processes:

An open-door policy from executive leadership encourages employees to approach executives directly any time something doesn't feel right, or they want to check on the legitimacy of a request. This policy has the added benefit of generating interaction between leaders and engaged and aware employees.

A business process requiring confirmation with the CFO either in-person or via direct-dialed voice for any transaction over a certain threshold should also be encouraged. Instead of trying to respond as fast as possible for fear of looking inattentive, this practice would motivate employees  to double-check such a request in a way that is difficult to spoof.

Penetration Testing
Penetration testing stands out as an example where technology solutions can be immensely enhanced by empathy. There are many software tools and platforms that perform automated scans, one-click exploits or other similar functionality. Indeed, utilizing a pre-configured penetration testing tool like Burp or Nessus is table stakes in 2018, and most organizations should already be performing this level of self-analysis.

A human-centered approach to this problem looks more like BugCrowd or HackerOne. According to a recent report from HackerOne, the humans powering their platform discovered and reported over 72,000 vulnerabilities (as of May 2018), with more than 27,000 of those discovered and resolved within the last year alone. While there's no doubt that these hackers are using technology tools to help them find vulnerabilities, it is the human element that creates effective penetration testing practices at scale.

Ultimately, the next "killer app" for cybersecurity won't be a matter of doing more, faster. Instead, we must empower humans to make better decisions — including those at the front desk all the way up to those in the corner office. The most effective thing we can do as security professionals is double down on the human element and develop empathetic solutions to these fundamentally human problems.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Shay Colson, CISSP, senior manager, CyberClarity360, joined Duff & Phelps from the US Department of the Treasury to lead the assessment team for CyberClarity360. He has over a decade of experience in cybersecurity and information assurance, with a focus on designing and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
2/7/2019 | 8:58:37 AM
Empathy is important, but...
Interesting read Shay, but I'd like to offer a bit of a contrarian point of view - you summarized by writing "Ultimately, the next "killer app" for cybersecurity won't be a matter of doing more, faster. Instead, we must empower humans to make better decisions — including those at the front desk all the way up to those in the corner office."
I submit to you that training and educating users so that they always make the right decision borders on utopia. It's sounds like a "checklist security strategy" and we all know how well that works.  It's enough for example that one URL slips through the mental process, and WHAM...

I would offer that the concept should be not empowering humans here, but rather eliminating them from the equation.  In other words isolating  users from the risk vectors entirely if possible, rather than warning them abut them. 

An example - complete Remote Browser isolation, rather than training users on how to identify malicious site/links/phishing attempts etc.

Makes sense?
User Rank: Apprentice
11/21/2018 | 4:35:42 AM
Re: Interesting article on Emphathy
User Rank: Author
11/16/2018 | 4:04:52 PM
Re: Interesting article on Emphathy
Todd - 

Great questions and discussion here. Thanks for reading and for continuing to engage.

I think you setup some potential answers in your own response here - it comes back to a human to human engagement. To your point on why insider threats manifest, those are all things that can be overcome by businesses through human connection. If people need validation, recognition, or respect, that's something that leadership can either actively provide or decide that the employee doesn't fit and take a different direction.

If the needs are external (financial, family issues, etc.) - employers can go a long way towards making meaningful accommodations in that space, as well. Unlikely that they can resolve them entirely, but a little empathy here goes a long way.

Finally, to your first point about the front-line, heads-down workers who either don't see security as their responsibility or who don't feel empowered to act, that's exactly the point of the article. Companies who encourage a culture of risk ownership, high engagement, low levels of fear about making a mistake or speaking up will be able to scale the value of their human resources much more than those who can't. I would offer that in an organization where a junior accounting person feels they can't raise an issue when something doesn't look right (or after they've clicked and realized it wasn't right), the fault rests on the leadership and their culture rather than the employee or their cybersecurity training.

Business is a team sport, and if we can't get everyone on the team to play together, there's no way that we're going to make any progress.


User Rank: Ninja
11/15/2018 | 12:45:50 PM
Interesting article on Emphathy
→  it is the human element that creates effective penetration testing practices at scale.

I am just curious, how do you go about improving the human element when employees don't really seem to get or understand cybersecurity. They think if they keep their head down and remain quiet, then they won't draw any attention to themselves.

I will give you an example, if someone is working with their head down and they are in accounting. They click on a link and the link says that they owe money to a vendor. The email came from the vendor but it was a phishing attack (the person's email account list was exposed to the hacker) where the pdf and link to update the banking information caused the person from accouting to act. Now this person has been trained for over 20 yrs in the area of security from this organization but thought this was a valid transaction. The amount of money from a realistic perspective may not have been alot, but this still happened.

To a trained engineer, they would have caught the mispelling of the name, the dns name not being corect or the address and pdf information being somewhat off.

But to the regular joe, this seemed reasonable. I am not sure if we can totally protect against this type of attack. I do agree there are certain things we need to do in order to mitigate the attacks but within a group of people that could range from 1K - 1M in number, with different skill sets, then I am not sure how you can defend against this type of attack. Threre needs to be some sort of AI/ML (Machine Learning) integration that assists the user in making the right decision because hacks continue to take place everyday even with controls and policies in place.

There is another discussion that could piggy back off of this discussion, the gap b/t the "haves" and "have nots". At the end of the day, people steal for three reasons, for political, economic and/or respect (just to show that they could do it). What we need to focus on is the psychological aspects of our society, there is an intrinsic problem with the way we think, because everyone has a breaking point and if pushed hard enough, every person will go down that path. Remember, for some people, it may not be about money, it could be that they need a specific drug for a parent or loved one, a child is suffereing or does not get into the school of choice.

Just remember, our society is delicate and if it is swayed one way or the other could cause catastrophic wave that effects everyone, the deep problem is not the hack, it is the way the way we think and how we think that needs to change.


US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...