IN DEFENCE OF THE HUMAN FACTOR

Dr Ciarán Mc Mahon

Tivi Digital & Cyber Security,

Scandic Park, Helsinki,

24.11.2016

Introduction

• Today’s talk

• The so-called ‘weakest’ so-called ‘link’

• The ETTO principle

• Everything is broken

• Victim-blaming

• Building a positive cyber security culture

About meDr Ciarán Mc Mahon is a director of the Institute of Cyber

Security and an award-winning academic psychologist from

Ireland. A former Government of Ireland Scholar, he has

published research on the history of psychological language,

the psychology of social media, digital wellness and the social

impact of cybercrime. Ciarán has worked at a number of third

level institutions, and is currently an occasional lecturer at

University College Dublin. Ciarán also has extensive media

experience and regularly contributes on topics relating to the

human aspects of information technology to national and

international outlets including Sky News, BBC Radio London,

USA Today, Fortune Magazine, and The Guardian.

The Institute of Cyber Security aims to help

companies and organisations develop the most

resilient cyber security culture possible.

It all started with Bruce Schneier (2000)

It all started with Bruce Schneier (2000)

and continued with Kevin Mitnick (2002)

and continued with Kevin Mitnick (2002)

AS A HUMAN BEING, I RESENT THIS!

What about the other links in the security chain?

Are they really stronger, and more secure?

‘Everything is broken’

Quinn Norton

It’s hard to explain to regular people

how much technology barely works,

how much the infrastructure of our lives

is held together by the IT equivalent of

baling wire.

Computers, and computing, are broken.

Update of the art

Recent patches

o 16 updates of iOS in the last year

o 3 Flash updates in a single month

o How quickly did Windows 8 become

Windows 8.1?

Update of the art

Recent patches

o Only 7.5% of all Android devices are

running its most secure operating system

o This is currently being investigated by

the US Federal Trade Commission

‘Another flaw in the human character is that everybody wants to build and nobody wants to do

maintenance’

So why are we blaming people for security

problems, when the technology is falling apart?

Acceptable accident causes (Hollnagel & Amalberti,

2001)

Accidents are always found to have

been

o associated with a system structure

o which can be reduced within accepted

limits of cost and time

o conforms to current “norms” for

explanations

Human error is a meaningless concept

Every day the average office worker clicks on hundreds of hyperlinks as

part of their job. But one day, they click on the wrong one, and suddenly

they’re the cause of malware infection.

Hollnagel’s (2006) ETTO principle – ‘efficiency-thoroughness trade-off’

Sometimes things go wrong, sometimes things go right.

The flipside

o We say that ‘the human factor is the weakest link in

cybersecurity’ because it’s a lot easier than tackling the real

problem

o the fact that IT is falling apart

o But that’s not the only reason we shouldn’t say ‘the human

factor is the weakest link in cybersecurity’

IBM 2015 Cyber Security Intelligence Index

But how can you expect your employees to listen to you when you are assume that they

are stupid or untrustworthy?

But how can you expect your employees to listen to you when you are assume that they

are stupid or untrustworthy?

WE NEED TO CHANGE HOW WE TALK ABOUT HUMAN FACTORS IN CYBERSECURITY

Victim blaming (Cross, 2015)

Discourse on online fraud is based on

idea of greedy/gullible victims

o does not take into account level of

deception and sophisticated targeting

o humour isolates victims and impacts

their ability to warn others

Understanding abusive insiders

Posey, Bennett, & Roberts (2011) :

o employees who do not feel that their

organisations trust them will engage in

more computer abuse when security

measures are brought in

Organisational justice and fairness

Bulgurcu, Cavusoglu, & Benbasat

(2009):

o creating a fair environment and

ensuring procedural justice in regards

to implementing security rules and

regulations is the key to effective

information security management.

Are CISOs their own worst enemy?

(Ashenden & Sasse, 2013)

CISOs struggle to gain credibility due

to:

o confusion about their role identity

o inability to engage effectively with

employees

If we want our colleagues, co-workers and corporate level

executives to engage with cybersecurity policy, we have to

stop seeing them as the weakest link. We have to start

engaging with them, trusting them, and educating them.

It’s that simple.

Thank you.

Email info@instituteofcybersecurity.com

Phone(IRE) +353 1 5137093

Phone(UK) +44 203 8085226

Address Unit 1, 77 Sir John Rogerson’s Quay,

Dublin 2, Ireland

For full report, contact ciaran@instituteofcybersecurity.com

Studies citedAshenden, D., & Sasse, A. (2013). CISOs and organisational culture: Their own worst enemy? Computers and Security, 39, 396–405.

http://doi.org/10.1016/j.cose.2013.09.004

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2009). Roles of information security awareness and perceived fairness in information security

policy compliance. 15th Americas Conference on Information Systems 2009, AMCIS 2009, 5, 3269–3277.

Cross, C. (2015). No laughing matter: Blaming the victim of online fraud. International Review of Victimology, 21(2), 187–204.

http://doi.org/10.1177/0269758015571471

Hollnagel, E. (2009). The ETTO Principle: Why things that go right sometimes go wrong. Farnham, UK: Ashgate.

Hollnagel, E., & Amalberti, R. (2001). The emperor’s new clothes: Or whatever happened to “human error”? 4th International Workshop on

Human Error, Safety and Systems Development, (April), 1–18.

Mitnick, K. D., & Simon, W. L. (2002). The art of deception: Controlling the human element of security. Indianapolis, IN: John Wiley & Sons

Posey, C., Bennett, R. J., & Roberts, T. L. (2011). Understanding the mindset of the abusive insider: An examination of insiders’ causal

reasoning following internal security changes. Computers and Security, 30(6-7), 486–497. http://doi.org/10.1016/j.cose.2011.05.002

Other sources

Goodin, D. (2016, May 10). Feds probe mobile phone industry over the sad state of security updates. Ars Technica

http://arstechnica.com/security/2016/05/feds-probe-mobile-industrys-security-update-practices/

IBM (2015). IBM 2015 Cyber Security Intelligence Index. http://www-01.ibm.com/common/ssi/cgi-

bin/ssialias?subtype=WH&infotype=SA&htmlfid=SEW03073USEN&attachment=SEW03073USEN.PDF

Lonergan, K. (2015, June 30). The human factor: top tips to strengthen the weakest link in the information security chain. http://www.information-

age.com/technology/security/123459735/human-factor-top-tips-strengthen-weakest-link-information-security-chain

Meetup.com (2016, April 7). Human Factors in (Cyber) Security: Exploiting the Weakest Link? http://www.meetup.com/French-IT-Group-

Australia-Asia/events/230137510/

Norton, Q. (2014, May 20). 'Everything is broken'. The Message (Medium). https://medium.com/message/everything-is-broken-

81e5f33a24e1#.sc7pf19g3

SANS Institute (2001). The Weakest Link: The Human Factor Lessons Learned from the German WWII Enigma Cryptosystem.

https://www.sans.org/reading-room/whitepapers/vpns/weakest-link-human-factor-lessons-learned-german-wwii-enigma-cryptosystem-

738

Schneier, B. (2000). Secrets and lies: Digital security in a networked world. New York: John Wiley & Sons.

Singer, P.W. & Friedman, A. (2014). Cybersecurity: What Everyone Needs to Know. Oxford: OUP.

https://books.google.ie/books?id=9VDSAQAAQBAJ&dq

Vishwanath, A. (2016, May 5). Cybersecurity’s weakest link: humans. The Conversation. https://theconversation.com/cybersecuritys-weakest-

link-humans-57455

Wright, A. (2016, April 13). Humans in cyber security – the weakest link. https://www.itgovernance.co.uk/blog/humans-in-cyber-security-the-

weakest-link/