Why the human factor is key to cybersecurity [Q&A]
There are many things to consider when it comes to making systems secure, but one thing that is often overlooked is the human angle.
George Finney, CISO, CEO and founder of Well Aware Security believes that cybersecurity is a people problem first and foremost -- people are the ones who write and employ processes and people are the ones who create and use technology. No surprise then that people are behind some 95 percent of cybersecurity incidents.
In his new book, Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future, Finney examines the world's security challenges using lessons learned from psychology, neuroscience, history, and economics. We spoke to him to find out more.
BN: Why do people keep falling victim to phishing and other social engineering scams?
GF: The short answer is that phishing and social engineering are cheap and easy, and cybercriminals can turn it around to a quick profit. Every year, we see huge increases in the amount of phishing. Since the beginning of the pandemic, phishing increased by around 600x.
You don't necessarily need a ton of skills to send a phishing message. Almost every data breach out there involves exposing email addresses, even if social security numbers aren't leaked. Hackers now have access to billions of emails, and with just a small amount of effort, they can customize phishing attacks that can bypass most protections.
BN: Is this partly down to laziness?
GF: It's actually a huge pet peeve of mine when people often say that 'people are the weakest link'. It’s easy to point the finger and blame lazy people, and we do that I think because the reality is really complicated. But we owe it to our communities to take the time to figure out what’s really going on in order to help protect them.
The reality is that people are the biggest attack surface in our environments. Our people are the biggest target, and we're all human and we might never be perfect, but we can get better. We want to partner with our people to reduce that attack surface. And we know from research that the most successful strategy for helping people do things isn’t to blame them or call them lazy when they make mistakes.
In my book, I interviewed some of the most successful leaders in cybersecurity. And the approach that works best for them is when they show their people that they believe in them, and that they can make a difference. They don't use blame or fear because it's demotivating. Calling your people lazy doesn't inspire them to prove you wrong, it makes them give up.
BN: How important is it for the industry to understand the psychology of this?
GF: I think the bad guys like social engineers and phishers understand psychology extremely well, in part because their success in their jobs require it. I think that to be successful at protecting our users, we need to understand how psychology and neuroscience even better than the bad guys in order to help empower our users to be able to protect themselves.
We say security is made up of three parts: people, processes, and technology. But people are the ones that build and configure technology. People are the ones that write and follow processes. I think we’re focused on technology to solve our problems, but to get better we also need to understand and engage our humans.
In my book I talk about how we need to understand WHY people do things with psychology. We need to understand neuroscience because our brains are designed with their own biases and blind spots built into them. We need to use behavioral economics and game theory to understand how people make decisions and enable them to make better decisions. And we need to employ human learning theory to help bridge the gap to meet them where they are to ease any changes we need to make.
BN: Is better education and training surrounding the risks the answer?
GF: There's one thing that both our users and security people agree on: we're frustrated with security awareness training. Training is the biggest thing that our users complain about because they feel like it's a waste of time. Security professionals are frustrated because they feel like training doesn’t work. I think they're both right.
Let's say that I bought my wife a treadmill for Mother's day. First, she'd probably be upset because it would make her feel like I was making a comment about her weight, which would be a bad idea. Even if she did want a treadmill, it would only make the situation worse if I handed her the manual, then blamed her later for never using it. Instead, it would probably be better if I helped her carve out time by helping watch the kid while she worked out.
We know that about 50 percent of all human behaviors are based on habits. I argue in my book that to make real cybersecurity change, we need to make it a habit. So instead of just providing our users with videos or newsletters, we need to help them tailor our security training to fit into their lives the way they live them.
BN: What can organizations do to make progress in improving security habits?
GF: There have been a number of amazing books about habits recently. There's my book, of course… and if you've read it totally please post a review… but I was influenced by Charles Duhigg's Power of Habit, or James Clear's Atomic Habits, or BJ Fogg's Tiny Habits. They might use different terminology, but they all agree that there is a mental habit loop that we all go through. The first step is the prompt that gets you to start the behavior, then the behavior itself, followed by a reward that releases endorphins to remind your brain later that you probably want to do that behavior again, thus creating a loop.
To be successful at any behavior change, we need to make it easy. We need to get rid of the obstacles that prevent people from doing those new behaviors. You may have heard the advice that if you want to start running, you should go to sleep in your workout clothes and have your tennis shoes right by the bed. This makes the new habit that you're trying to build easy.
This advice really works for people, it's not judgy… if you don't do it, there's no moral failing. It's just direct and specific. This is the kind of recipe for success that we should be building to help the people we work with get better.
I think there are nine different categories of cybersecurity habits. We all have our own strengths when it comes to security, and we can start by focusing on our strengths to make it easy. And rather than just overcoming our weaknesses, we can work together as a team with complementary strengths to help become secure as a community.