Article by Steve Durbin, Managing Director of Information Security Forum
Humans are often referred to as the “weakest link” in information security. However, organisations have historically relied on the effectiveness of technical security controls, instead of trying to understand why people are susceptible to mistakes and manipulation. A new approach is clearly required: one that helps organisations to understand and manage psychological vulnerabilities and adopts technology and controls that are designed with human behaviour in mind.
Human-centred security: a new approach
Human-centred security starts with understanding humans and their interaction with technologies, controls and data. By discovering how and when humans “touch” data throughout the working day, organisations can uncover the circumstances where psychological-related errors may lead to security incidents.
For years, attackers have been using methods of psychological manipulation to coerce humans into making errors. Attack techniques have evolved in the digital age, increasing in sophistication, speed, and scale. Understanding what triggers human error will help organisations make a change in their approach to information security.
Identifying human vulnerabilities
Human-centred security acknowledges that employees interact with technology, controls and data across a series of touchpoints throughout any given day. These touchpoints can be digital, physical or verbal. During such interactions, humans will need to make decisions. However, humans have a range of vulnerabilities that can lead to errors in decision-making, resulting in negative impacts on the organisation, such as sending an email containing sensitive data externally, letting a tailgater into a building or discussing a company acquisition on a train. These errors can also be exploited by opportunistic attackers for malicious purposes.
In some cases, organisations can put preventative controls in place to mitigate errors being made. For example, preventing employees from sending emails externally, strong encryption of laptops or physical barriers. But errors can still get through, particularly if individuals decide to subvert or ignore these types of controls to complete
work tasks more efficiently or when time is constrained. Errors may also manifest during times of heightened pressure or stress.
By identifying the fundamental vulnerabilities in humans, understanding how psychology works and what triggers risky behaviour, organisations can begin to understand why their employees might make errors and begin managing that risk more effectively.
Exploiting human vulnerabilities
Psychological vulnerabilities present attackers with opportunities to influence and exploit humans for their own advantage. The methods of psychological manipulation used by attackers have not changed since humans entered the digital era but attack techniques are more sophisticated, cost-effective and expansive, allowing attackers to effectively target individuals or to attack on considerable scale.
Attackers use the ever-increasing volume of freely available information from online and social media sources to establish believable personas and back-stories in order to build trust and rapport with their targets. This information is carefully used to heighten pressure on the target, which then triggers a heuristic decision-making response. Attack techniques are used to force the target to use a particular cognitive bias, resulting in predictable errors. Attackers can then exploit these errors.
There are several psychological methods that can be used to manipulate human behaviour; one such method that attackers can use to influence cognitive biases is social power.
There are many attack techniques that use the method of social power to exploit human vulnerabilities. Attack techniques can be highly targeted or conducted on scale but they typically contain triggers which are designed to evoke a specific cognitive bias, resulting in a predictable error. While untargeted, “spray and pray” attacks rely on a small percentage of the recipients clicking on malicious links, more sophisticated social engineering attacks are becoming prevalent and successful. Attackers have realised that it is far easier targeting humans than trying to attack technical infrastructure.
The way in which the attack technique uses social power to trigger cognitive biases will differ between scenarios. In some cases, a single email may be enough to trigger one or more cognitive bias resulting in a desired outcome. In others, the attacker may gradually manipulate the target over a period of time using multiple techniques. What is consistent is that the attacks are carefully constructed and sophisticated. By knowing how attackers use psychological methods, such as social power, to trigger cognitive biases and force errors, organisations can deconstruct and analyse real-world incidents to identify their root causes and therefore invest in the most effective mitigation.
For information security programs to become more human-centred, organisations must become aware of cognitive biases and their influence on decision-making. They should acknowledge that cognitive biases can arise from normal working conditions but also that attackers will use carefully crafted techniques to manipulate them for their own benefit. Organisations can then begin to readdress information security programs to improve the management of human vulnerabilities, and to protect their employees from a range of coercive and manipulative attacks.
Managing human vulnerabilities
Human vulnerabilities can lead to errors that can significantly impact an organisation’s reputation or even put lives at risk. Organisations can strengthen information security programs in order to mitigate the risk of human vulnerabilities by adopting a more human-centric approach to security awareness, designing controls and technology to account for human behaviour, and enhancing the working environment to reduce the impact of pressure or stress on the workforce.
Reviewing the current security culture and perception of information security should give an organisation a strong indication of which cognitive biases are impacting the organisation. Increasing awareness of human vulnerabilities and the techniques attackers use to exploit them, then tailoring more human-centred security awareness training to account for different user groups should be fundamental elements of enhancing any information security program.
Organisations with successful human-centred security programs often have significant overlap between information security and human resource functions. The promotion of a strong mentoring network between senior and junior employees, coupled with the improvement of the structure of working days and the work environment, should help to reduce unnecessary stress that leads to the triggering of cognitive biases affecting decision-making.
Develop meaningful relationships between a mentor and mentee to create an equilibrium of knowledge and understanding. Create a working environment and work-life balance that reduces stress, exhaustion, burnout and poor time management, which all significantly increase the likelihood of errors being made. Finally, consider how the improvement or enhancement of workspaces and environments can reduce stress or pressure on the workforce. Consider what is the most appropriate work environment for the workforce as there may be varying options, e.g. working from home, remote working, or modernising office spaces, factories or outdoor locations.
Making your weakest link your strongest asset
Underlying psychological vulnerabilities mean that humans are prone to both making errors, and to manipulative and coercive attacks. Errors and manipulation now account for the majority of security incidents, so the risk is profound. By helping staff understand how these vulnerabilities can lead to poor decision-making and errors, organisations can manage the risk of the accidental insider. To make this happen, a fresh approach to information security is required.
A human-centred approach to security can help organisations significantly reduce the influence of cognitive biases that cause errors. By discovering the cognitive biases, behavioural triggers and attack techniques that are most common, tailored psychological training can be introduced into an organisation’s awareness campaigns. Technology, controls and data can be calibrated to account for human behaviour, while enhancement of the working environment can reduce stress and pressure.
Once information security is understood through the lens of psychology, organisations will be better prepared to manage and mitigate the risks posed by human vulnerabilities. Human-centred security will help organisations transform their weakest link into their strongest asset.