This post is the seventh post in a series of ten posts. The previous post explored the sixth law: Security is not stronger than its weakest link. Although often neglected, the seventh law is fundamental. It states that human users are often the weakest element of the security.
Humans are the weakest link for many reasons. Often, they do not understand security or have an ill perceived perception of it. For instance, security is often seen as an obstacle. Therefore, users will circumvent it when security is an obstruction to the fulfillment of their task and will not apply security policies and procedures. They do not believe that they are a worthwhile target for cyber-attacks.
Humans are the weakest link because they do not grasp the full impact of their security-related decisions. How many people ignore the security warnings of their browser? How many people understand the security consequences and constraints of Bring Your Own Device (BYOD) or Bring Your Own Cloud (BYOC)? Employees put their company at risk by bad decisions.
Humans are the weakest link because they have intrinsic limitations. Human memory is often feeble thus we end up with weak passwords or complex passwords written on a post-it. Humans do not handle complexity correctly. Unfortunately, security is too complex.
Humans are the weakest link because they can be easily deceived. Social engineers use social interaction to influence people and convince them to perform actions that they are not expected to do, or to share information that they are not supposed to disclose. For instance, phishing is an efficient contamination vector.
How can we mitigate the human risk?
- Where possible, make decisions on behalf of the end user; as the end users are not necessarily able to make rational decisions on security issues, the designer should make the decisions when possible. Whenever the user has to decide, the consequences of his decision should be made clear to him to guide his decision.
- Define secure defaults; the default value should always be set to that for the highest or, at least, an acceptable security level. User friendliness should not drive the default value, but rather security should.
- Educate your employees; the best answer to social engineering is enabling employees to identify an ongoing social engineering attack. This detection is only possible by educating the employees about this kind of attack. Training employees increases their security awareness and thus raises their engagement.
- Train your security staff; the landscape of security threats and defense tools is changing quickly. Skilled attackers will use the latest exploits. Therefore, it is imperative that the security personnel be aware of the latest techniques. Operational security staff should have a significant part of their work time dedicated to continuous training.
Interestingly, with the current progress of Artificial Intelligence and Big Data analytics, will the new generation of security tools partly compensate this weakness?
If you find this post interesting, you may also be interested in my second book “Ten Laws for Security” that will be available end of this month. Chapter 8 explores in details this law. The book will be available for instance at Springer or Amazon.