Oct 25, 2024 12:00:00

The biggest vulnerability in cybersecurity is 'humans' - what are the three strategies to prevent human error?

Malicious hackers are not only targeting vulnerabilities in PCs and systems, but also

social engineering that exploits human mental gaps and human error is also a major security threat, and one survey found that 68% of data breaches were caused by human error. An expert on authentication technology explained how to address the problem that human presence is the biggest weakness in cybersecurity.

Human error is the weakest link in the cyber security chain. Here are 3 ways to fix it
https://theconversation.com/human-error-is-the-weakest-link-in-the-cyber-security-chain-here-are-3-ways-to-fix-it-241459

◆Understanding the essence of human error
According to Jongkil Jay Jeong, a senior research fellow at the School of Computing and Information Systems at the University of Melbourne in Australia, in the field of cybersecurity, human error can be broadly divided into two categories.

The first is 'skill-based errors,' which are most likely to occur during everyday tasks, especially when we are distracted.

For example, let's say someone forgets to back up their work PC. That person knows how to back up and that it's necessary, but they have to get home early and have a mountain of emails waiting for them to reply, so they don't think about backing up.

If a cyber attack were to occur at this time, there would be no way to recover the data. Therefore, if the data is held hostage by ransomware or other means, the hacker would be able to blackmail you. This is a skill-based error.

The second type is “knowledge-based errors,” which are cybersecurity mistakes that occur due to inexperience, lack of critical knowledge, or failure to follow certain rules.

For example, if you carelessly click on an email from an unknown contact, you risk letting malware into your system and hacking it, potentially stealing your money or data. This is a knowledge-based error.

Why are traditional approaches insufficient?
To prevent such human error, governments and various organizations have invested heavily in security education, but it has not always been effective, one of the reasons for this, Jeong points out, is that they have taken a 'technology-centric, one-size-fits-all approach.'

Many traditional educational programs have often relied on technological aspects such as improved password management and multi-factor authentication, which has often overlooked issues rooted in human psychology and behavioral principles.

Jeong cites the 'Slip, Slop, Slap' sun protection campaign launched in Australia and New Zealand as an example of a major change achieved by changing behavior without relying on technology. In the 40 years since the launch of this simple campaign, which called for people to wear long-sleeved shirts or rash guards (Slip), apply sunscreen (Slop), and wear a hat (Slap), the incidence of melanoma in both countries has dropped significantly.

'The principle that changing human behavior requires sustained investment in raising awareness also applies to cybersecurity education,' said Jeong. 'Just because people know best practices doesn't mean they will be implemented, especially when they are under priority or time pressure.'

The Australian government is also unveiling a comprehensive cybersecurity bill in October 2024 that will strengthen information sharing between companies and government agencies and set security standards for smart devices, but this bill also focuses on technical and procedural aspects.

Meanwhile, the United States is turning to a human-centered approach, and the Federal Cybersecurity Research and Development Strategic Plan launched by the National Science and Technology Council (NSTC) in December 2023 (PDF file) states, 'We must place greater emphasis on human-centered approaches that prioritize the needs, motivations, behaviors, and capabilities of people in determining the design, operation, and security of information technology systems.'

Three rules for human-centric cybersecurity
When asked how to adopt a human-centric approach to address the issue of human error in cybersecurity, Jeong offered three strategies based on current findings:

1. Minimize cognitive load
Cybersecurity should be designed to be as intuitive and easy to implement as possible, and training programs should focus on simplifying complex concepts to help people seamlessly incorporate security practices into their daily workflow.

2. Cultivate a positive attitude towards cybersecurity
Instead of scare tactics, security education should emphasize the positive outcomes of implementing good cybersecurity practices, which will motivate people to reassess their cybersecurity behavior.

3. Take a long-term view
Changing behaviors and attitudes is not a one-off event but an ongoing process, as cybersecurity education is a continuous process that requires regular updates to combat evolving threats.

'The bottom line is that building a truly secure digital environment requires a holistic approach,' said Jeong. ' Robust technology and sound policies are important, but most importantly, a well-educated, security-aware workforce. With a deeper understanding of why human error occurs, we can design more effective training programs and security plans that work in line with human nature.'