The human element of cybersecurity
If you鈥檙e inclined to think of cybersecurity as lending itself to clean, elegant, better-than-human, extremely secure solutions, you probably don鈥檛 work in the field.
But one bias held by many in information security is that much of the mess is because humans 鈥 not hackers, shoddy software or poorly-built devices 鈥 are the source of the vast majority of our digital vulnerabilities. Why extend the time and energy to hack into a heavily-guarded system, security experts might opine, if you can simply trick a user into clicking a link laden with malware?
If businesses didn鈥檛 have to deal with the 鈥渆nd user鈥 (that is, you and I), this reasoning goes, all our problems would be solved.
This represents a quiet bias against users in nearly every conversation about cybersecurity. Unfortunately, this bias means that humans have become an afterthought in the design of our technology. Unraveling this is part of what makes cybersecurity a 鈥渨icked problem,鈥 or a problem that resists resolution and can鈥檛 be solved without a multi-disciplinary approach.
Just because a problem resists resolution doesn鈥檛 mean that it can鈥檛 be broken down into smaller parts in order to make progress on the whole.
That鈥檚 where the work of Nancy Cooke, a professor of human systems engineering at Arizona State University, comes in. By remembering people in the design of our technology and by training cybersecurity analysts to work together, we can put people back into our digital security tools and make the world safer.
The ghost in the machine
As we develop new technology, we often begin with a novel technological approach instead of a focus on who is supposed to be using our new tool.
鈥淚t鈥檚 a mess of technology that鈥檚 out there with good intentions, but doesn鈥檛 work well with humans,鈥 says Dr. Cooke.
Cooke advocates that developers include users in the planning stages as they design and build new security technologies.
Her colleague, Jamie Winterton, director of strategy at ASU鈥檚 Global Strategy Initiative, concurs.
At first, engineers think 鈥溾楾his would be a really great technological solution to this problem鈥 and then rush forward and build it. Then we say, 鈥楴ow, how do we make it secure?鈥 But it鈥檚 a lot harder to secure something after you鈥檝e already built it than if you start to think about security and the way that real people are going to use the technology in the design process,鈥 says Ms. Winterton.
The human element that does seep into our current development process? Implicit biases. Machine-learning algorithms, for example, can reflect the biases of the engineers who write them or biases within the training data fed to them.
鈥淲e like to romanticize this idea of machines being pure and perfect, but we are in the machines because we made them,鈥 says Winterton.
Lone wolves need packs
In defending against digital threats, too, thinking about how to make technology and humans work well together would serve an immense good. Many cyber analysts work alone and are not incentivized to work in teams, says Cooke. This can be a weakness because lone wolves can鈥檛 do nearly as well in addressing complex problems as a team with varied backgrounds, according to Cooke鈥檚 research.
And even when there are teams, like in the capture-the-flag competitions which have become popular with public and private cybersecurity recruiters, 聽Cooke says that the work that students and competitors do in these competitions is closer to individual work than it is to teamwork.
The distinction being that sitting close to coworkers does not mean communication between members, while a team will approach a problem more deliberately, assigning tasks based on individual strengths and clearly defining roles in order to collaborate more effectively.
鈥淚t鈥檚 a much tighter kind of collaboration,鈥 says Cooke. 鈥淵ou can put people together and you will get a group, but it doesn鈥檛 necessarily make them a good team.鈥
Some of the 鈥渓one wolf鈥 mentality in cybersecurity is cultural: the mythos of the individual who can hack through difficult challenges alone is the stuff of hacker lore. Some of it is self-selection: the kinds of people that enjoy long hours coding tend to be less team-oriented, Cooke said.
Moving forward
Cybersecurity itself is a thorny, knotted issue, but both Cooke and Winterton say including the end user in the design process from the beginning is one important way to tighten or eradicate flaws that appear when a device or software is put into the hands of a user. Other solutions include incentivizing collaboration and better training for analysts.
鈥淏road groups of stakeholders should be engaged to make sure systems are secure, fair, and as useful as they can be,鈥 says Winterton.
Incorporating the human element will reduce the risk inherent in cybersecurity systems and build a stronger framework for the development of new technology in the future.
