“The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption, and secure access devices and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.” – Kevin Mitnick

Human Element

Companies spend a lot of money on perimeter security, firewalls, authentication programs and on other means to protect information security but one thing that is often overlooked or not fully understood is the human dimension. They can have the best protection for the network but it is all for nothing if the employees do not buy into your security rules. People are sometimes too trusting, over-confident, complacent, or even dismissive of various security requirements.

End-user education sometimes fails to make security better. It is important to change that paradigm. The need to educate employees about the value of good security practices is very important as the human element is the largest security risk in any organization. In fact, most security incidents are a result of human error, ignorance and not malicious intent. A good, effective security training program may reduce the incidents substantially.

Many times in a down economy, employees may feel the constant pressure to improve customer service and therefore may cut corners. Social engineering can deceive and manipulate an employee into giving up valuable information all in the name of making customer helpfulness the number one priority.

Being too helpful and trusting can cost companies dearly. The credibility of an organization is at stake. If you do not have a basic level of confidentiality of data, availability of resources, and integrity for your IT services, then why should anyone trust you? A tarnished reputation is very hard to turn around.

People and organizations view themselves unrealistically when it comes to security. The perception is that hacking attacks, viruses, malware and phishing will happen to someone else and there is no real reason to worry.  However, that is far from being the case.

Human Threat to Cybersecurity

 A theory called risk homeostasis when applied to security suggests that when users increase their security, they take greater risks. This is akin to a bicyclist that now wears a helmet to do tricks he would not do without a helmet. The helmet increases feelings of security.

Likewise, Mac users believe that the operating system will protect them from viruses. While that is the case usually, it is not a completely accurate assumption. If the Mac user has an antivirus application installed and even if they do not, they may try to open a phishing email or go to risky sites not knowing that they may be exposing themselves to malware. It may not affect them but it could affect the network that they are connected to if there happen to be windows computers on it. They stand the chance of spreading an infection to other users.

Some computer users believe that safety is an abstract concept.  If they have not had a virus attack in many years, questions come up about why there should be an antivirus application on the computer since it seems to slow it down.  No incidents of a virus attack increases confidence and a belief that there is no chance of it ever happening to that user.

Users might find themselves in a situation where they are on a website with information that they need. They may never have been on the site before but are weighing the consequences of clicking on various links that also may have the information that they are looking for. The links look like tiny URLs (shortened uniform resource locator or website address). Many people have created tiny URLs to easily share website addresses as it is much more convenient than using the actual website address. The big problem is that services like “tinyurl” make it hard to figure out exactly where one may be going. It could easily redirect the user to a site with a virus on it. For the user, the information on that website may be so relevant that it seems worth the risk. The reward for the primary goal of getting that information makes the risk acceptable. If nothing happens, then the user is rewarded with the information and the satisfaction that the decision was good.  But if the site is harboring a virus, the consequence could include downtime and lost time in resolving various computer problems. For some, the risk is worth it as the information is needed.

The technology threat avoidance theory (TTAT) premise is that when users perceive a threat, they are motivated to actively avoid it by taking precautionary measures if the threat is perceived to be avoidable. People tend to avoid threats. Coping skills occur when trying to come up with solutions to the threat. If the coping skills cannot avoid the threat, then emotional coping occurs. Rational ways of avoiding the threat ends the hope that the perceived threat does not happen or acceptance that they will be affected no matter what. Risk tolerance is also a part of this and is influenced by the social environment. What other people are doing in that environment influences individuals in the kind of risk they are willing to accept.

People tend to try to do the minimum when it comes to cybersecurity if they feel that they can avoid threats. Passwords are an important part of everyday computing. Users are bombarded with information at work and when at home on the type of password they should use. Sometimes the information is conflicting. Some say use phrases such as Iluvmyw1fe!,avc since it is personal, easy to remember and a strong password. Other times, companies may have password requirements that must have a minimum of 8 characters with an uppercase letter, lower case letters, numbers and various other characters like an exclamation point or dollar sign. Many websites will also have certain password requirements. With so many passwords to remember, people try to use the same username and password for their work and home environments putting everything at risk in cyberspace.

The best passwords are those that are unique, used for only one system and cannot be guessed by anyone including your spouse. This though can pose enormous challenges when it comes to remembering the password. Many people will write down the password on a piece of paper, sometimes keeping it on the desk or in a locked cabinet. Others might actually keep that information on an unencrypted hard drive. None of these solutions are ideal as anything written has the potential of being found.

When faced with mandatory password changes, people tend to wait until the last minute to do it. The request to change it is perceived as an unnecessary interruption. People know that a password breach can have severe consequences but it does not affect their attitudes with the security implementation. The threat is not seen and does not appear to be imminent.

Failing to remember the password may mean having to answer questions either on a website or over the phone to recover the password. The cybersecurity questions and answers must be something that only the user knows and cannot be easily guessed so that a potential attacker can be thwarted.

Another issue with passwords that are sometimes overlooked is software programs and network devices that have default usernames and passwords. They can create a backdoor into a network. People need to remember to change the defaults. Microsoft Windows 2003 Server and Windows XP used as the default user account name, Administrator. This made it easier for hackers as they only had to guess the password. Windows 2008 Server and Windows 7 did away with the default administrator account. It is disabled and encourages the use of a unique name for the administrator account. Network devices such as routers have default username and passwords as well. These can easily be found on the Internet. There is a site called routerpasswords.com that can help in determining the default username and password. It is so easy to find that it is really foolish to leave it to chance that someone can break in.

Sometimes guessing usernames and passwords are too hard so an inside man is needed to gather intelligence. Corporate espionage conducted within a company is very effective as it can avoid most of the security precautions. In a famous case that changed US laws, Ellery Systems unknowingly employed a Chinese citizen with ties to Chinese intelligence. Ellery Systems was funded early on by the Department of Defense. It created the largest data system at that time on the Internet and they owned the rights and source code for the program that allowed the compression of data and its transmission. A Chinese citizens employed by Ellery Systems (in Denver), downloaded the software source code to another company with Chinese connections in Denver. The robbery forced the company out of business and the United States lost a competitive advantage.

Threat Mitigation

Since the dawn of personal computing or at the beginnings of cryptography many centuries ago, people were told to take safeguards with their information. People are still being told that and it has not defeated hackers and malware yet. What needs to be done to improve end user education? What can be done to make things simpler for people but still have the best security? How can users feel that good security practices are really in their best interests?

At the NIH (National Institutes of Health), before new government employees and contractors receive their account information, they are required to take two mandatory training courses. They are a Privacy Awareness Course and the other is the 2012 NIH Information Security Awareness Course (security course is updated often). The security course has to be taken annually as well. Even though security is front and center at the very beginning of your employment, the whole process seems like total drudgery. People click on the next button again and again, barely paying attention to the important information. The most important thing for the user is to get through it to get your account information.

The curriculum of the course could be shorter with information on the latest attacks and how to protect yourself and the computing environment with relevant information.  Many organizations have very long training programs of two or more hours. A short presentation of up to one hour with relevant material is most helpful to the end user. As an example, one of the simplest, most prevalent attacks is a warning message about Trojans on the computer. There is a fake antivirus warning message. User clicks on it because they do not want to get infected but instead they do get infected. It would be a benefit to the user to show what the antivirus program looks like and what type of messages it would generate if you were to become infected. Another thing that would benefit users in a security course is to show the various websites that they may need in their daily work and how to avoid clicking on fake sites. In addition, show examples of actual phishing emails so users know what to look for.

After the course is over, talking about it with other users is a very important component as it uses social psychology or group pressure of conformity. A small token or reward for further reinforcement is helpful also. At the same time, a mention of failure to follow procedures could mean revoking a user’s IT privileges.

Besides creating a good security training course, making things less complicated for end users but at the same time increasing security for the organization is a worthy goal. Messages and alerts often resemble other message dialog boxes. Sometimes, when users see a lot of dialog boxes, they stop reading them as they all look the same. Changing the look of the security dialog boxes is very important so that they stand out. This will get the attention of the user and the user will have a chance to evaluate their decision.

Another way to reduce complexity to make computing easier in a networked environment is to change the way passwords are done. There are so many passwords to remember that it is easy to forget. Writing them down is very tempting. But one way to eliminate the need to remember passwords is to use a smart card. Smart cards use two-factor authentication. Two items are needed for a successful login. The user needs something physical and something non-physical. This creates a more secure login environment.

At the NIH for instance, the smart card is a combination of a picture ID and a storage container with the user’s credentials. The user places the smart card into the smart card reader. The smart card reader reads the credential and pops up a dialog box for the user to enter a pin number. The pin number has to be between five and eight digits long. If successful, the user can logon to the desktop.

If the end user forgets the pin, it is easy to verify the identity of the user. The user has to bring the smart card to a station where a person verifies the identity of the card holder and the pin is then reset.

Smart cards also use digital certificates. The digital certificates are stored on the card and on the user’s computer. The certificates have expiration dates and must be renewed almost every year.

Smart cards can also be used to send secure email. Using Microsoft Outlook, the user can send or receive digitally signed or encrypted email messages by first publishing their digital certificates to the Global Address List (GAL). If both the sender and receiver have published their digital certificates to the GAL then both can read the encrypted email and nobody else will be able to intercept the email to read its contents.

Smart card two factor authentications have made the computing environment more secure and easier for the user but that is just one part of the equation. Software has to be made more user friendly. Leveraging the behavior sciences when creating security technology can help improve design and therefore make security enforcement a partnership between the designer and the end user. Users need to know that they can trust the product and that security will be maintained while they get their work done. The end user and designer need to come together during the process of requirement gathering so that the design meets the expectations of all the stakeholders. End users do not care so much about security as they do about completing tasks using the software. By working together, end users will find that they have a stake in the successful use of the product and that complying with the agreed upon security measures is of great importance.

If end users are a part of the solution, then security will improve. Users need simple direct information about their computing environment to make responsible decisions. A top down approach should be avoided or there is a risk of user’s looking for workarounds, thereby jeopardizing cybersecurity.

References are available upon request.

© 2015 Michael Carr