Humans represent a mystery to be deciphered by security/cybersecurity experts because their behaviors, attitudes, beliefs, rituals and decisions (the general characteristics that define a culture) constitute a little-understood universe for executives and their heads of security. Frequently cited in various international research projects and reports is the fact that people are the weakest links in the security chain. Time and again, it is determined that, despite all the technical efforts and security procedures, people are highly likely to expose organizations to vulnerabilities.
source:
The Human Factor in Information Security (isaca.org)
“Chain” is defined here as the sequence of connected links that enables a system to function. Its strength is defined in terms of the connection that is least strong.
Dreyer, P.; T. Jones; K. Klima; J. Oberholtzer; A. Strong; J. Welburn; Z. Winkelman; “Estimating the Global Cost of Cyber Risk: Methodology and Examples,” Rand Corporation, 2018, https://www.rand.org/pubs/research_reports/RR2299.html
Hello,
The problem is no equal attention to Human. Most of the research is concerned about technology and less about human aspect. Once this side is well considered the missing link will be examined more. Stakeholders need to understand gaps between cybersecurity and IT. So when it comes to educating next generation we should focus on the interdisciplinary nature of cybersecurity. Stakeholder also need to learn from other industries such as aviation, chemical, and healthcare. They worked on improving human factors to mitigate disasters and errors. There is a need to consider human error in designs and during ongoing working conditions.
Often developers create devises or systems with user convenience in mind (vulnerabilities) or thinking that users are rational security actors.
Cialdini wrote in the 80s about the psychology of of persuasion and those weapons of influence are used in social engineering and other hacking techniques. They are effective against human and awareness trainings or defense methods haven't used them effectively to prevent or deter attacks...
Thanks for the discussion.
Hello,
The missing link will be: "Strengthening people’s practices and behaviors".
Strengthening people’s practices and behaviors means recognizing where vulnerabilities occur, what are the most critical attack vectors, and developing safe data management practices that connect with people’s realities and with the essence and sense of protection of an organization’s information assets.
Transforming people’s behavior toward data security depends on connecting three evolutionary cycles that make the present function in accordance with established practice; make the future an exercise in construction and collective practice that visualizes challenging, potential and plausible scenarios that prepare the organization for emerging threats and risk; and make learning (or unlearning) the very essence of the way in which reality is dismantled to disconnect what now exists to incorporate the novelty of what is coming and to reconnect the dots in ways that are completely diverse and novel.
Consequently, the human factor in security/cybersecurity must cease to be dead emotional weight that security and control executives carry but do not know what to do with, instead becoming strategic leverage in their programs for the protection of digital and informational assets that are in a constant process of development. Thus, the human factor becomes a “reliable and resistant factor” in the organization’s security/cybersecurity system, something that demands an emerging vision by security/cybersecurity professionals of themselves as new educators who, paraphrasing John Ruskin, say, “Do not teach something to someone who doesn’t know, but rather transform them into something that didn’t exist.” [https://www.goodreads.com/quotes/287586-education-does-not-mean-teaching-people-what-they-do-not]
In today's globalized and digitally connected world, cyber security has become an essential aspect of our lives. With the increasing reliance on technology, the potential for cyber attacks and data breaches has also increased, making it necessary for individuals, organizations, and governments to take steps to protect their systems and data. However, even with the best security measures in place, the human factor remains a critical vulnerability in cyber security.
One of the primary challenges with the human factor is that humans are prone to making mistakes, being complacent, and being unaware of the risks they face. Cyber criminals often exploit these weaknesses to gain unauthorized access to systems and data. For example, they may use social engineering tactics to trick users into divulging sensitive information or to install malware on their devices. In some cases, insiders may intentionally or unintentionally compromise security by, for example, sharing passwords, misusing access privileges, or failing to follow security protocols.
Another challenge is the growing complexity of technology and the lack of cybersecurity awareness among users. As technology advances and new devices, applications, and services emerge, the attack surface increases, and new vulnerabilities are exposed. Many users lack the technical expertise and knowledge necessary to protect themselves effectively, making them easy targets for cyber criminals.
To address the missing link between cyber security provision and the human factor, several steps can be taken. One approach is to improve cybersecurity awareness and education for all users. This can include providing training and resources to help individuals recognize potential threats and understand how to protect themselves and their data. Cybersecurity awareness can also be integrated into the culture of an organization, making security a shared responsibility among all employees.
- Badges
- Science topic