Cybersecurity Human Factors

Introduction

The principles for designing reliable cybersecurity are rooted in a knowledge of behavioral sciences - psychology, forensics, and economics. We have learned that secure communication systems need to be user-friendly and not impose excessive cognitive burden on users. The number of security measures a person or an organization needs to take have to be minimized as much as possible. The effort required to bypass a security measure should be substantially greater than the resources and potential rewards for the cyberattacker.

The failure of security measures is not attributable to users being, as often said, the “weakest link.” Rather, the failure lies in the security design that ignored factors such as usability and acceptability. Password policies highlight this issue. Research has shown that policies designed by security experts are often bypassed by employees and, thus, ineffective. Software developers also put in outdated mechanisms that have proven faulty.  Findings such as these emphasize the need for a focus on human factors in the design and implementation of secure systems.

When users do not follow security policies, they are blamed for not understanding the risks or simply being too lazy. But non-compliance or “rule-bending” is just as often a result of a “Sophie’s choice” (A choice where both alternatives carry negative consequences) between productivity and security, and choosing productivity because that is the more immediate organizational demand.

The typical response to non-compliance is security awareness and education, but this approach is not always effective. Human factors research has established that “fitting the task to the human” is more efficient than the other way around in terms of both cost and performance. Security awareness and training can play a role in improving security, but it should not be the first resort. Security must be usable, with usability being defined as the effectiveness, efficiency, and satisfaction of users achieving their goals. Security must work for people.

Usability

Criteria for assessing the usability of a system are:

• Effectiveness: The accuracy and completeness with which specified users can achieve their goals in a specific context.
• Efficiency: The resources (e.g. time, effort) expended in relation to the accuracy and completeness of the goals that one tries to achieve.
• Satisfaction: The comfort and acceptability of the system to its users and those affected by its use. It is a measure of the user’s level of enjoyment and ease with the task.
• Capabilities and limitations of target users: Understanding the skills, knowledge, and abilities of users is crucial in designing security measures that are within their easy reach. Security measures should align with the other goals and tasks that users need to routinely perform.
• Physical and social context: The context puts constraints on the ease of performing security tasks.
• The capabilities and limitations of the device: The device on which security measures are used can also play a role in their usability, e.g.  screen size, processing power, and input methods.

Humans have general physical and mental capabilities and limitations, and tasks that exceed these capabilities will not succeed.  Security mechanisms must not demand too much time or attention, and should be clearly and simply placed in front of the user to require a response, not be reliant on user memory.

Alarm Fatigue

Alarm fatigue refers to a situation where users stop paying attention to security warnings due to the relatively high rate of false alarms. This is like the boy who cries “wolf”,  when the brain begins to classify repeated signals as irrelevant and filters them out before they reach consciousness. To avoid alarm fatigue, it is important to keep the alarm rate as low as possible and to only issue security warnings when necessary. At the time of issuing a security warning, explain why it is important and precisely what needs doing. The recommendation is to keep the false alarm rate below  10%. Above that percentage, it loses its effect. Suggested ways of doing this includes good technology support. Job rotation is also a good idea, although this is not always possible. Human beings, being what they are, once they begin dismissing alarms, it becomes difficult to turn the clock backward.

Human Memory

Memory is a key mental capability in humans and is divided into short-term memory (STM) and long-term memory (LTM). STM is used for temporary storage of information, like one-time passwords, but it has limited capacity and can only handle strings of up to 6 characters. Long-term memory is divided into semantic memory (LTM-SM) and episodic memory (LTM-EM.) The ability to recall information stored in LTM depends on how frequently it is retrieved. Infrequently used information stored in LTM-SM fades faster than information stored in LTM-EM because the latter is connected to personal history and emotions. Overloading the STM loop with long or alpha-numeric codes takes more time and has a greater likelihood of error.

To better cope with the memory issue, the following solutions are recommended: 2-Factor Authentication (2FA), password managers, or keeping strong passwords for longer periods.

Choosing Passwords

A knowledge-based authentication credential, such as a password, needs to be extremely difficult to guess.

Easier guesses for attackers:

1.     Users usually pick passwords that are easy for them to recall, such as personally significant names or dates. 

2.     When using images as credentials, users usually prefer stronger colours and shapes.

3.     When the images are pictures of humans, they will choose more attractive people.

4.     When using a location within a picture, people prefer obvious features.

5.     With a location-based system, people pick memorable locations; when choosing locations for a 4-digit PIN on a number grid, they choose locations that are next to each other and anchored on an edge or corner of the grid.

6.     The order of the elements (e.g. letters, numbers, characters)  of a credential is predictable. People who write languages that read left-to-right will choose the elements in that order. 

7.     With finger swipe passwords, users generally choose from a limited number of shapes.

These biases in the selection of credentials result in easily guessable knowledge-based authentication, making it less secure. To overcome this, security systems can implement various measures such as randomizing the order of elements, offering a wide range of options to choose from, or using multiple elements to form a single credential. This increases the randomness of the system and makes it more secure against guessing attacks.

The human biases in choosing passwords, such as selecting memorable names or dates make it easier for an attacker to guess them. To counter this, security policies have restricted too obvious choices, but this has increased the workload associated with password creation, and password recall, causing frustration and time lost in retrieval. Password strength meters have been used to guide password choices, but these meters can vary in accuracy. The workload associated with password creation can also increase with restrictions, and password strength meters. It is also important to consider the specific needs of different user groups, such as children, older citizens, and those with physical and mental conditions.. The usability limitations of security mechanisms and their contribution to security fatigue must also be kept in mind.

User Behaviour

Workarounds to security measures, like writing down passwords, occur because people want to ensure effective completion of their tasks and protect business productivity. The repeated effort and disruption of entering a password many times a day can lead to negative effects such as  installing mouse-jiggling software to avoid screen lock.

The aim must be to reduce the burden of security tasks on users.. This can be done by automating security, minimizing the need for explicit human action, triggering security mechanisms only when necessary, and designing systems that are secure by default. As people tend to prefer physical tasks over mental tasks, the design should aim to reduce mental workload as much as possible.

To reduce security compliance fatigue, security specialists need to discuss with line managers and business leaders the time and budget available for security tasks. Making security mechanisms smarter and less restrictive reduce compliance fatigue. Access to efficient security recovery and support services reduces the need for workarounds.

Two factor solutions, despite providing better security, may still be difficult for users to use if they are hard to handle, or require users to carry tokens. These usability issues can lead to confusion and human error, reducing their effectiveness..

The majority of activities that people undertake are carried out in a fast and automatic mode, making them efficient but also making them vulnerable to security risks. It is unrealistic to expect people to always be cautious when they have numerous work emails with embedded links that need to be clicked on. Productivity is threatened if they cannot complete their primary task without clicking on these links. Users must be educated as to the need for complex additional tasks and given options.

Factors such as fatigue, inexperience, and risk-taking attitude can lead to errors. Human factors such as memory limitations and shared assumptions also contribute. Factors such as time pressure, high workload, monotony, and boredom can lead to errors, as well as uncertainty about roles, responsibilities and rules. Work environment factors such as interruptions and poor equipment and lack of information can also cause errors, particularly when rules and procedures change. The responsibility to address these factors lies with the organization and regular reviews should be conducted to identify and address underlying causes of mistakes and near misses.

Security Awareness Education and Training

Security awareness education helps people understand what the cybersecurity risks are and what they can do to reduce them. The emphasis is on why security matters, what it means for the organisation, and what it means for the individual. Education should be targeted and tailored to its  audience, delivered in a way that is easy to understand and relevant. It should also be engaging, interactive and provide practical advice on how to reduce the risk. 

Security Training

Security training equips people with the skills they need to reduce risk.  Training should be focused on the tasks that people need to perform in order to be safe. It helps people acquire skills, such as how to use a security mechanism correctly or recognize and respond to a social engineering (a con artist) attack. Training is more effective when it takes place in a social community and allows people to practice the skills and discuss their perceptions and biases. It should be practical, hands-on training that provides opportunities for people to practice what they have learned. It is also important that training be regularly reviewed and updated to keep pace with new risks and changing threats.

Simulations and games are often used to make security awareness more appealing and to support more comprehensive education and behavioral change. Anti-phishing simulations, which teach employees not to click on suspicious links in emails or elsewhere, are the most widely used in organizations. These simulations measure the impact of interventions and show a decrease in click rates in the short term. However, the success of these simulations depends on the employee’s motivation to engage in the training and their ability to apply the skills being taught. Anti-phishing simulations can also have negative effects, such as reducing trust among employees or leading to reluctance to click on any links, including important ones. Designing simulations must take this issue into account. Using email filtering solutions can effectively reduce the number of suspicious emails

Security education and training should be an integral part of an overall security strategy. They should be integrated with other security measures, such as technical controls and policies, to provide a comprehensive security solution. The key is to balance the need for security with the need for people to be able to complete their tasks efficiently and effectively.

Security Policies

General MacArthur’s statement to “never give an order that can’t be obeyed” applies to security policies as well. When employees encounter security policies that are impossible or extremely difficult to follow or are clearly not effective, it undermines the credibility of all policies and the security professionals who issue them. If policies are not being followed, security professionals must investigate why this is the case and re-design the solution. In most cases, employees do not mean to show blatant disregard for security. They are usually trying to manage a risk they understand in the best way they know how.

Positive Security

To make security a credible proposition, it must be framed as a positive aspect that enables people to engage in activities they value and experience positive outcomes. This positive conception of security can encourage individuals to become more involved in decision-making and behaving securely. Key aspects of positive security is stress on positive outcome and not blaming those who are unable to follow security advice.

Conclusion

The ultimate goal of security is to protect people and their information. The design of security mechanisms must take into account the capabilities and limitations of human users and strive to fit the task to the human rather than the other way around.