Humans are often referred to as the “weakest link” in information security. However, organisations have historically relied on the effectiveness of technical security controls, instead of trying to understand why people are susceptible to mistakes and manipulation.
A new approach is clearly required: one that helps organisations to understand and manage psychological vulnerabilities and adopts technology and controls that are designed with human behaviour in mind.
Human-centred security: a new approach
Human-centred security starts with understanding humans and their interaction with technologies, controls and data. By discovering how and when humans “touch” data throughout the working day, organisations can uncover the circumstances where psychological-related errors may lead to security incidents.
For years, attackers have been using methods of psychological manipulation to coerce humans into making errors. Attack techniques have evolved in the digital age, increasing in sophistication, speed, and scale. Understanding what triggers human error will help organisations make a change in their approach to information security.
Identifying human vulnerabilities
Human-centred security acknowledges that employees interact with technology, controls and data across a series of touchpoints throughout any given day. These touchpoints can be digital, physical or verbal. During such interactions, humans will need to make decisions. However, humans have a range of vulnerabilities that can lead to errors in decision-making, resulting in negative impacts on the organisation, such as sending an email containing sensitive data externally, letting a tailgater into a building or discussing a company acquisition on a train. These errors can also be exploited by opportunistic attackers for malicious purposes.
In some cases, organisations can put preventative controls in place to mitigate errors being made. For example, preventing employees from sending emails externally, strong encryption of laptops or physical barriers. But errors can still get through, particularly if individuals decide to subvert or ignore these types of controls to complete
work tasks more efficiently or when time is constrained. Errors may also manifest during times of heightened pressure or stress.
By identifying the fundamental vulnerabilities in humans, understanding how psychology works and what triggers risky behaviour, organisations can begin to understand why their employees might make errors and begin managing that risk more effectively.
Exploiting human vulnerabilities
Psychological vulnerabilities present attackers with opportunities to influence and exploit humans for their own advantage. The methods of psychological manipulation used by attackers have not changed since humans entered the digital era but attack techniques are more sophisticated, cost-effective and expansive, allowing attackers to effectively target individuals or to attack on a considerable scale.
Attackers use the ever-increasing volume of freely available information from online and social media sources to establish believable personas and back-stories in order to build trust and rapport with their targets. This information is carefully used to heighten pressure on the target, which then triggers a heuristic decision-making response. Attack techniques are used to force the target to use a particular cognitive bias, resulting in predictable errors. Attackers can then exploit these errors.
There are several psychological methods that can be used to manipulate human behaviour; one such method that attackers can use to influence cognitive biases is social power.
There are many attack techniques that use the method of social power to exploit human vulnerabilities. Attack techniques can be highly targeted or conducted on the scale but they typically contain triggers which are designed to evoke a specific cognitive bias, resulting in a predictable error. While untargeted, “spray and pray” attacks rely on a small percentage of the recipients clicking on malicious links, more sophisticated social engineering attacks are becoming prevalent and successful. Attackers have realised that it is far easier targeting humans than trying to attack technical infrastructure.
The way in which the attack technique uses social power to trigger cognitive biases will differ between scenarios. In some cases, a single email may be enough to trigger one or more cognitive bias resulting in a desired outcome. In others, the attacker may gradually manipulate the target over a period of time using multiple techniques. What is consistent is that the attacks are carefully constructed and sophisticated. By knowing how attackers use psychological methods, such as social power, to trigger cognitive biases and force errors, organisations can deconstruct and analyse real-world incidents to identify their root causes and therefore invest in the most effective mitigation.
For information security programs to become more human-centred, organisations must become aware of cognitive biases and their influence on decision-making. They should acknowledge that cognitive biases can arise from normal working conditions but also that attackers will use carefully crafted techniques to manipulate them for their own benefit. Organisations can then begin to readdress information security programs to improve the management of human vulnerabilities and to protect their employees from a range of coercive and manipulative attacks.