Human Factor Is Real Cyber Factor
The Russians played on the very emotions that protect us and manipulated people’s personal radar. They figured out how to get our guards down. It was accomplished by appealing to those inner beliefs we have that “others” are getting what we should have or are taking from us. With the assistance of Facebook, Google and similar social media outlets people were nudged to let their “hair down.” Being American took a backseat to “Making America Great Again.”
The government struggles to protect us because “we,” the most important factor in planning, is often left out. As such, there is a human condition which is unaccounted for in the government’s risk assessment. For example, kind people will perform acts of kindness regardless of their knowledge of danger and risks associated with the act.
It has been repeatedly reported that security failures for all businesses are typically tied to human fault or failure. Sometimes the issues relate to poor analysis and at other times a failure to use best practice. Dr. Calvin Nobles, a human factors expert, reminds us human factors remain unexplored and underappreciated in information security. He believes a strong workforce and understanding of how those people may respond in specific situations is a requirement. Dr. Nobles is correct in his assessment. Most successful cyberattacks, data breaches, and ransomware attacks are a result of human-enabled errors. This is evidence that greater efforts to educate and analyze human response is a prudent approach to reducing the cyber assault.
The “threat” is not real for most Americans. Statistics tell an interesting story of how a lack of cyber threat awareness makes Americans comfortable relinquishing the rights to personal information. In a late 2018 Center for Data Innovation study, 58% of U.S. residents surveyed said they did not mind third parties collecting sensitive information about them. In this study respondents were asked about “tradeoffs” to gain new convenience. The majority were willing to give data like location, biometrics, and daily activities if it improved potential services to them.
This signals a potential key indicator as to why most people are reluctant in taking actions that protect their identifying information. And, if they don’t protect their own data how likely is it they will take extra steps to protect corporate or government data?
So, if we throw a malware filled thumb drive over the fence of a business it may sit on the ground for a while. However, eventually a kind person will stumble upon it and pick it up. That person may have taken a cyber awareness course that specifically warns against putting unknown drives into the computer. However, they will place the drive in their computer anyway.
Studies have shown that people insert the drive into the computer even when they have been trained no to do it because they want to return it to the rightful owner. It is in our nature to try and help others. This is sometimes done to our own detriment. Kind people are as great a threat to true cybersecurity as the hacker with malicious intent. Why? Because these kind people typically have trusted access to systems and their good nature can be social engineered.
There are several potential reasons for people choosing convenience over security. The most obvious is education about consequences. Those who do realize the extent of potential outcomes aren’t moved to act. Their lucid approach to a subject, in this case, cybersecurity, may lower their guard. The thought of using good cyber hygiene as a risk reducing approach may seem like a waste of time.
An effective cyber awareness program by the government and local businesses in partnership could help change these statistics and general cybersecurity apathy. However, even legitimate businesses benefit from the collection of personal data and the government receives a part of the profit in the form of taxes. So, there is a real societal conflict. The “quid-pro-quo” business – government agreement ensures true awareness and a strong regulatory push will not occur anytime soon.
By exciting citizens to be weary of personal data collection, a successful campaign might just cause a privacy revolution. This act of self-sufficiency response may stifle many profitable business practices.
In some cases, business needs to be checked and regulated for us to move forward as a free society. They don’t see your risk as their risk. In other cases, we need a set of standards that define each person’s digital responsibilities to society and to each other.