Could you be responsible for the next data breach within your organization? Chances are you could be, as statistics continue to highlight the user as the weakest link in cybersecurity. When all it takes is one careless individual, one line of corrupted software code, or one contaminated platform to wreak havoc within the cyber domain, your odds of a breach rise exponentially.
Today, the cybersecurity industry is mainly focused on the use of technology to thwart cyberattacks. In fact, according to Gartner, “worldwide cybersecurity spending will climb to $96 billion in 2018. “ Despite this herculean investment, we are still falling behind in the game of cyber cat and mouse.
In 1998, former CIA director George Tenet warned, “We are staking our future on a resource we have not yet learned to protect.” This statement is truer today than it was 20 years ago. If technology alone isn’t the answer, then what are we missing?
Human Behavior and Cybersecurity
In an ideal world, we could completely remove the user from the cybersecurity equation. Imagine a world of hands-free protection across the entire cyber ecosystem, removing the risk of human error at all stages – from the software developer, supplier, system administrator, and end-user. Unfortunately, that ideal world doesn’t exist, and there are no simple solutions to the complex and growing problem of data breaches caused by human error.
I have always been intrigued with the human mind and why people behave as they do, especially in the area of security and human-computer interaction. A user base with good cybersecurity behavior could help alleviate the day-to-day issues plaguing the hyper-connected world we live in.
How can we change human behavior so users better understand the risk of online threats, taking the game of chance out of making the right or wrong choice in cyberspace? One potential solution would be to focus on cognitive ergonomics when we design security solutions, more commonly known as human factors.
Human factors allow us to look at how information in cyberspace is presented and consumed by the user, and what we can do differently to improve the outcomes of the decision-making process. Since information and decision-making are inextricably linked, information needs to be presented in a way that is understandable, concise, and instills action.
Take the case of system warning pop-ups. Most are boring and difficult to understand. They tend to be too technical in nature, lack brevity, and are filled with legal gobbledygook. Most users do not have the technical knowledge to understand what these warnings mean, so they click right through them.
Implementing a tiered security behavior model would slow down the decision process so individuals are given the space to make better informed decisions. By maximizing participant involvement through the use of interactive and engaging security controls, user learning and retention would increase by stepping through potential risks and guiding the user to make positive and rational decisions. Examples could include the use of user acknowledgements paired with taking specific actions, such as answering questions, listening to a short audio or watching a video pertaining to warning displays, cautionary banners, and security notices.
“The act of participation deepens engagement, enhances learning, and accelerates behavior change.”
Combining interactive techniques (animation, graphics, audio, short videos, scrolling text) with easy-to-understand language and eye-catching contextual design improves the user’s ability to make sound decisions.
“Aesthetic designs tend to generate the positive affect, which results in the user’s ability of creative thinking and problem solving when they’re interacting with those designs.”
Since familiarity breeds complacency, warning banners should be changed frequently in their design, verbiage, and user actions to be performed.
As society becomes more connected and more dependent on 1’s and 0’s to handle everyday life, adding a focus on the human element of cybersecurity to today’s technology arsenal may help quell the problem at hand. We must also remember that users need space and time to make informed cybersecurity decisions. After all, when it comes to cybersecurity, slow and deliberate is better than fast and unwitting.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.