view counter

CybersecurityCybersecurity’s weakest link: humans

By Arun Vishwanath

Published 6 May 2016

There is a common thread that connects many of the recent hacks which captured the headlines. They all employed generic – or what is now considered “old school” – phishing attacks which typically took the form of the infamous “Nigerian prince” type e-mails, trying to trick recipients into responding with some personal financial information. “Spearphishing” attacks are similar but far more vicious. They seek to persuade victims to click on a hyperlink or an attachment that usually deploys software (called “malware”) allowing attackers access to the user’s computer or even to an entire corporate network. Yes, people are the weakest links in cybersecurity. But they don’t have to be. With smarter, individualized training, we could convert many of these weak links into strong detectors – and in doing so, significantly strengthen cybersecurity.

There is a common thread that connects the hack into the sluicegate controllers of the Bowman Avenue dam in Rye, New York; the breach that compromised twenty million federal employee records at the Office of Personnel Management; and the recent spate of “ransomware” attacks that in three months this year have already cost us over $200 million: they were all due to successful “spearphishing” attacks.

Generic – or what is now considered “old school” – phishing attacks typically took the form of the infamous “Nigerian prince” type e-mails, trying to trick recipients into responding with some personal financial information. “Spearphishing” attacks are similar but far more vicious. They seek to persuade victims to click on a hyperlink or an attachment that usually deploys software (called “malware”) allowing attackers access to the user’s computer or even to an entire corporate network. Sometimes attacks like this also come through text messages, social media messages or infected thumb drives.

The sobering reality is there isn’t much we can do to stop these types of attacks. This is partly because spearphishing involves a practice called social engineering, in which attacks are highly personalized, making it particularly hard for victims to detect the deception. Existing technical defenses, like antivirus software and network security monitoring, are designed to protect against attacks from outside the computer or network. Once attackers gain entry through spearphishing, they assume the role of trusted insiders, legitimate users against whom protective software is useless.

This makes all of us Internet users the sole guardians of our computers and organizational networks – and the weakest links in cyberspace security.

The real target is humans
Stopping spearphishing requires us to build better defenses around people. This, in turn, requires an understanding of why people fall victim to these sorts of attacks. My team’s recent research into the psychology of people who use computers developed a way to understand exactly how spearphishing attacks take advantage of the weaknesses in people’s online behaviors. It’s called the Suspicion, Cognition, Automaticity Model (SCAM).

We built SCAM using simulated spearphishing attacks – conducted after securing permission from university research supervision groups who regulate experiments on human subjects to ensure nothing inappropriate is happening – on people who volunteered to participate in our tests.