Cybersecurity – A complex behavioural problem
The wars of the 21st century will be to capture, manipulate or destroy others’ data. Digital systems powering organisations and nations around the world have become prime targets for attack—from individual criminals, well-organised cybercrime gangs, and state-sponsored hackers. As the internet becomes all pervasive and the world gets increasingly interconnected, cyberattacks are bound to create widespread impact.
Recent threats –
- The WannaCry hacking attack in May 2017 that crippled computers across 150 countries is just an example of the pervasive nature of this problem.
- Billions of dollars are being wasted in the destruction, downtime and replacement costs arising as a result of cyber insecurity.
What is cyber security?
It can be attributed to the various technologies, processes and practices that protect networks, computers and digital data from attack. It is dominated by those who believe that new and more complex technology will save us from all sorts of cyber attacks.
The human weaknesses –
- Various studies and analyses of cyber attacks across the world have shown that in more than 90% of the security breaches, the enabling factor has been the negligent behaviour of users.
- The spread of a malicious worm that attacked the US Central Command system started with the insertion of an infected USB drive by an individual in a US military laptop. It took the Pentagon more than 14 months to clean things up.
- Many cybersecurity experts harbour a false belief that hackers only focus on technological vulnerabilities. However, the truth is that human behaviour is often the weakest link in the online security chain.
- Humans have a bias that gives credence to authority. So, it will be difficult for a person to ignore a phishing mail, purportedly from an authority figure. Similar other techniques used to gain access include our almost automatic responses to reciprocity and prior commitments. These techniques employed by cyberattackers bypass the best security walls a cybersecurity team can develop.
- The complexity of the human brain creates several impediments in the initiation and maintenance of cybersecurity and prevention tasks. As the human brain will always try to reduce the cognitive load involved in any decision. It is for no other reason that 123456 is the most common password.
- Humans have very poor ability to evaluate risk. Various researches have shown that humans evaluate the risk involved in a particular action not based on any elaborate calculation but how one feels about the action one is taking. So for an employee watching a movie after working for long hours, the enjoyment the movie provides far outweighs the risk involved in using an insecure USB drive.
Way forward –
- Appropriate emotions about risks are generated when a well publicised news about a cyberattack is made available to everyone concerned. As long as the news of the event is available in one’s memory, everyone will get into a cautionary mode and will follow the required security measures.
- Very rarely do security experts realise that a complacent mental mode an employee opens up far more opportunities for a cyberattack than even a significant flaw in the software of a security system.
- While billions of dollars are being spent to take care of the technical requirement of cybersecurity, there is comparatively little investment made to understand and influence the human behaviour around cybersecurity.
The sooner we realise that the most powerful technological solutions are no match for a cyberattacker with an excellent understanding of the working of the human brain, the safer our cyber world will be.