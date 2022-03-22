When it comes to preserving your privacy, and maintaining the security of your devices and networks, the number one, top-line, first-defense component of that complicated and complex system is you. You are what’s called a “user.” Not that you use others selfishly without returning their courtesies and respect. A user in my sense is simply with the computer, or smartphone, or any countless number of connected devices that, without we users, are just pieces of hardware with untapped capabilities.
Being enveloped in technology day in and day out one can easily be fooled to believe that those technological doodads run the whole show. We in the field, and in the so-called academy, work on and train managers of tech. We write textbooks and laws that tend to focus on leveraging the hardware and software solutions. How do I “harden” a network to thwart hackers? When and where must certain encryption standards be deployed to maintain security? Why does my firm’s database structure pose vulnerabilities? Seldom does the “who” question arise, at least until after a security incident begs the question, “Who did this?!”
I hesitate to pollute my message today by pointing to a commonplace Second Amendment argument, but I keep thinking about the correlation: It’s not computers that hack into systems and cause loss, waste, crime, and fraud. It’s the users of the computers making the things do what they do. Oftentimes, those makings were never the intended uses of the hardware or programs. Thus the label, “hacking.”
Almost weekly I attend some seminar, conference, or presentation that relates to cybersecurity. Sometimes, more than once weekly, and other times days-long events. Last week I caught myself, Positive Pete that I try to be, praising a researcher in Florida for homing in on this precise opportunity about users. His work surrounds the people, not the technologies, and seeks to learn why we’re so easily prone to activate security risks in our day-to-day operations of the machines. He’s a dedicated technologist and scholar within the cybersecurity domain. Unusually, he sees what you and I too often overlook: There’s almost no use to endeavoring to understand every one and zero that comprises the tech, which tends to facilitate extremely costly and sometimes life-endangering hacking activities, unless you also (first?) understand the user and their motivations.
That’s a challenge to techies. Generally, as the common trope goes, technologists can be less social and more sympatico with systems, processes, and other logical inputs. They/we can be more at-home by breaking down a server, or coding software without noticing the time pass, than trying to navigate human emotions and motivations. Yet, those are imperatives if we all want to ever work securely online.
I’ll share some of the fascinating work the aforementioned tech scholar was doing along these lines. The problem he recognized and is trying to solve is one we’re each familiar with. Even if you don’t regularly jam on your workstation keyboard for school, work, or even play, you are well aware of all the havoc caused by hackers and similar internet criminals. The typical scenario is that some user at her desk at 10:15 a.m. gets an email. It appears to be “from corporate” and commands some action.
An important message from the HR Director’s desk. Make 100% certain that you received your correct Form W-2 Wage and Tax Statement by clicking the link below and scrolling for your ID#. We, again, apologize for the initially errant Forms. Before you finalize your filing action this year, and hopefully leading to your prosperous tax refund, take this vital step.
Lo! and behold, our user/sucker clicks the link hoping that she might increase her tax refund check and finally take a vacation with her family. Nothing happens. She clicks again. Same. Her next email is to HR, or maybe IT, but it’s all too late. That one misstep launched malicious software onto the company’s network. Soon, databases and information becomes encrypted by virtue of the malware. Next, a new message is received by the Chief Technology Officer with instructions to pay a ransom lest the firm never again gains access to their information.
This happens, like, thousands of times every day. Maybe more. It’s hard to get reliable information because unless compelled by law most companies would rather not advertise their vulnerabilities, missteps, and states of frenzy in the wake of this mess.
The researcher in Florida wants to learn why she clicked on the link. The premise is that any well-trained user knows better. It’s no different than if someone knocks on your door at 2:00 a.m., you look through the peephole and see a masked person in all black. You wouldn’t click on that link, so to speak.
In a Walmart parking lot our scholar set up his RV with a makeshift office area, and filled it with computers and light medical gear such as a brain scanner and triage measuring devices. One-by-one, after approaching users, gaining their trust, and imposing on their time, he set off in his experiment. Subjects took their seat, donned the wired-up headgear, and began a 20-minute test. They responded to screen images, to a special vibrating mouse, and to his questions. He learned, in a nutshell, that habituation was the prime suspect. When our brain receives repeated stimuli—e.g., years of hacking scares and training—emotional responses to malicious links diminish.
We users are not only the biggest problem for information security and privacy. We’re capable of learning to be better at it by acknowledging and dismissing the throes of habituation. Educating users effectively requires mixing up the playbook, in a sense. His broader point is that attention focuses more on the users. We can’t ignore the tech, but without greater emphasis on the who questions, the why, when, and how are never going to give satisfactory answers.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
Commented
Sorry, there are no recent results for popular commented articles.