Security Quotient Research

Securing the human: a $35m question

Home » Research Updates » Securing the human: a $35m question

This post was originally published on LinkedIn on 28 July 2017

Chris Hails, Information Security Consultant

Browsing the BBC website this morning, a quote in a report on Alex Stamos’ keynote to Black Hat jumped out at me. Facebook’s CSO was talking about the need for ‘a more people-centric security industry’ and suggested:

“We have perfected the art of finding problems without fixing real world issues,” he told attendees. “We focus too much on complexity, not harm.”

The human side of information security and associated online harms is a major focus for me. Between August 2010 and August 2016, New Zealanders reported almost 28,500 online incidents to NetSafe involving $35m in direct financial losses.

In policing terminology there’s a difference between pure ‘advanced cybercrime’ and cyber-enabled crime but when you’ve spoken with individual victims who have lost their life savings thanks to some shady overseas operator, the difference tends to melt away and the impact on the victim is what matters the most.

Think of the individual who has remortgaged their house; drained their business of operating capital; traveled to a hotel room thousands of miles away to meet that mysterious investor offering a handsome percentage in return for a small up front payment.

Those experiences at NetSafe left me wanting to find solutions to what are increasingly known as ‘socio technical attacks’. If you haven’t heard that term before I’ll refer to Dr Jean-Louis Huynen: “A socio-technical attack is possible because of the human components in a system.”

Over those six years working at NetSafe, the most common – and most financially and/or emotionally harmful – forms of socio-technical attacks were:

  • Romance fraud
  • Investment fraud
  • Ransomware
  • Business Email Compromise (BEC)

Whether you classify those as cyber-enabled or pure cyber attacks isn’t the important point here. The key is that in the majority of those cases, the weakest link in the system was often a human being – a human who responded to the charms of a scammer or was curious enough to infect their own system and encrypt essential data.

Humans, it’s fair to say, can be wonderful things but they also come with a range of inherent flaws or vulnerabilities:

  • Many of us like to help people: that could be holding a door open for someone wearing a hi-vis vest piggybacking into a building or allowing the helpful ‘Microsoft’ technician to have access to your computer to fix the viruses.
  • Many of us respond to outside forces or biases in the form of authority, curiosity or a general sense of invincibility and click on the malicious attachment or submit our credentials to the phishing site that ‘satisfices’ our need to verify it really is the official bank website.

These concepts are not new and whilst a smattering of the word cyber adds a sexy sheen to the stories, humans have been taken advantage of for a long time. Take a quick peek at this ‘Spanish Prisoner’ story in the New York Times and note the date: 20 March 1898.

What cyber brings to the picture is a speed of operation and ability to bridge the distance unimaginable for the criminals operating at the end of the 19th century. Speed and ease of operation and access to a global pool of victims equals profit and has resulted in changing the face of modern crime.

Look at the latest UK crime statistics and you’ll find that ‘cyber crime’ in the form of Computer Misuse and Cyber Enabled Fraud now makes up 53% of reported crime.

There’s no doubt that the technical skills involved in advanced, persistent, technically impressive attacks are to be reviewed with a wry smile and a sense of awe.

But it’s becoming apparent that a failure to implement basic cyber hygiene steps – not sophisticated attackers – is often to blame. And that includes failing to train your staff on how to recognise suspicious activity and how to respond to potential cyber incidents.

Dr. Ian Levy, from the UK’s National Cyber Security Centre probably said it best:

“A lot of the attacks that we see on the internet today are not purported by winged ninja cyber-monkeys. Attackers have to obey the laws of physics; they can’t do things that are physically impossible”

The wonderful people at InternetNZ have provided me with funding this year to explore some of the root causes of those 28,500 incidents, to research why so many socio-technical attacks are successful and to examine if there might be a programmatic way to identify individual cyber security risk profiles and deliver adaptive security benefits in future.

It’s only the start of the project, but I’ll be posting updates as I progress in the hope we can continue to explore ways to help more people stay safe and secure online.

Send me a message or leave a comment if you’d be keen to hear more.

Home » Research Updates » Securing the human: a $35m question