Humans are often regarded as the "weakest link" in information security. However, organizations have historically relied on the effectiveness of technical security controls, instead of trying to understand why people are susceptible to mistakes and manipulation. A new approach is clearly required; one that helps organizations to understand and manage psychological vulnerabilities and adopts technology and controls that are designed with human behavior in mind.
That new approach is human-centered security.
Human-centered security starts with understanding humans and their interaction with technologies, controls and data. By discovering how and when humans "touch" data throughout the working day, organizations can uncover the circumstances where psychological-related errors may lead to security incidents.
For years, attackers have been using methods of psychological manipulation to coerce humans into making errors. Attack techniques have evolved in the digital age, increasing in sophistication, speed and scale. Understanding what triggers human error will help organizations make a step change in their approach to information security.
Identifying human vulnerabilities
Human-centered security acknowledges that employees interact with technology, controls and data across a series of touchpoints throughout any given day. These touchpoints can be digital, physical or verbal. During such interactions, humans will need to make decisions. Humans, however, have a range of vulnerabilities that can lead to errors in decision making, resulting in negative impacts on the organization, such as sending an email containing sensitive data externally, letting a tailgater into a building or discussing a company acquisition on a train. These errors can also be exploited by opportunistic attackers for malicious purposes.
In some cases, organizations can put preventative controls in place to mitigate errors being made, e.g., preventing employees from sending emails externally, strong encryption of laptops or physical barriers. However, errors can still get through, particularly if individuals decide to subvert or ignore these types of controls to complete work tasks more efficiently or when time is constrained. Errors may also manifest during times of heightened pressure or stress.
By identifying the fundamental vulnerabilities in humans, understanding how psychology works and what triggers risky behavior, organizations can begin to understand why their employees might make errors, and begin managing that risk more effectively.
Exploiting human vulnerabilities
Psychological vulnerabilities present attackers with opportunities to influence and exploit humans for their own advantage. The methods of psychological manipulation used by attackers have not changed since humans entered the digital era but attack techniques are more sophisticated, cost-effective and expansive, allowing attackers to effectively target individuals or to attack on considerable scale.
Attackers use the ever-increasing volume of freely available information from online and social media sources to establish believable personas and backstories in order to build trust and rapport with their targets. This information is carefully used to heighten pressure on the target, which then triggers a heuristic decision-making response. Attack techniques are used to force the target to use a particular cognitive bias, resulting in predictable errors. These errors can then be exploited by attackers.
There are several psychological methods that can be used to manipulate human behavior; one such method that attackers can use to influence cognitive biases is social power.
There are many attack techniques that use the method of social power to exploit human vulnerabilities. Attack techniques can be highly targeted or conducted on scale, but they typically contain triggers which are designed to evoke a specific cognitive bias, resulting in a predictable error. While untargeted, "spray and pray" attacks rely on a small percentage of the recipients clicking on malicious links, more sophisticated social engineering attacks are becoming prevalent and successful. Attackers have realized that it is far easier targeting humans than trying to attack technical infrastructure.
The way in which the attack technique uses social power to trigger cognitive biases will differ between scenarios. In some cases, a single email may be enough to trigger one or more cognitive bias resulting in a desired outcome. In others, the attack may gradually manipulate the target over a period of time using multiple techniques. What is consistent is that the attacks are carefully constructed and sophisticated. By knowing how attackers use psychological methods, such as social power, to trigger cognitive biases and force errors, organizations can deconstruct and analyze real-world incidents to identify their root causes and therefore invest in the most effective mitigation.
For information security programs to become more human-centered, organizations must become aware of cognitive biases and their influence on decision-making. They should acknowledge that cognitive biases can arise from normal working conditions but also that attackers will use carefully crafted techniques to manipulate them for their own benefit. Organizations can then begin to readdress information security programs to improve the management of human vulnerabilities, and to protect their employees from a range of coercive and manipulative attacks.
Managing human vulnerabilities
Human vulnerabilities can lead to errors that can significantly impact an organization's reputation or even put lives at risk. Organizations can strengthen information security programs in order to mitigate the risk of human vulnerabilities by adopting a more human-centered approach to security awareness, designing security controls and technology to account for human behavior, and enhancing the working environment to reduce the impact of pressure or stress on the workforce.
Reviewing the current security culture and perception of information security should give an organization a strong indication of which cognitive biases are impacting the organization. Increasing awareness of human vulnerabilities and the techniques attackers use to exploit them, then tailoring more human-centered security awareness training to account for different user groups should be fundamental elements of enhancing any information security program.
Organizations with successful human-centered security programs often have significant overlap between information security and human resource functions. The promotion of a strong mentoring network between senior and junior employees, coupled with the improvement of the structure of working days and the work environment, should help to reduce unnecessary stress that leads to the triggering of cognitive biases affecting decision-making.
Develop meaningful relationships between a mentor and mentee to create an equilibrium of knowledge and understanding. Create a working environment and work-life balance that reduces stress, exhaustion, burnout and poor time management, which all significantly increase the likelihood of errors being made. Finally, consider how the improvement or enhancement of workspaces and environments can reduce stress or pressure on the workforce. Consider what is the most appropriate work environment for the workforce as there may be varying options, e.g., working from home; remote working; or modernizing office spaces, factories or outdoor locations.
From your weakest link to your strongest asset
Underlying psychological vulnerabilities mean that humans are prone to both making errors, and to manipulative and coercive attacks. Errors and manipulation now account for the majority of security incidents, so the risk is profound. By helping staff understand how these vulnerabilities can lead to poor decision making and errors, organizations can manage the risk of the accidental insider. To make this happen, a fresh approach to information security is required.
A human-centered approach to security can help organizations to significantly reduce the influence of cognitive biases that cause errors. By discovering the cognitive biases, behavioral triggers and attack techniques that are most common, tailored psychological training can be introduced into an organization's awareness campaigns. Technology, controls and data can be calibrated to account for human behavior, while enhancement of the working environment can reduce stress and pressure.
Once information security is understood through the lens of psychology, organizations will be better prepared to manage and mitigate the risks posed by human vulnerabilities. Human-centered security will help organizations transform their weakest link into their strongest asset.
— Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cybersecurity, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was Senior Vice President at Gartner.