William Mackey thinks the old-school approach to cyber-security — wait for a problem, then tweak the technology — needs to go the way of Windows ’98.
If Americans expect to protect sensitive information, the country needs to shift its perception from hardware to human behavior when it comes to security, he said.
Mackey, an assistant professor of criminology and criminal justice at Indiana State University, told the more than 100 students and staff members packed in Dede 1 of the Hulman Memorial Student Union at ISU on Wednesday that the country needs an approach that couples technology with the way people actually behave.
“We’ve gotten complacent, in fact, these data breaches are happening so often,” Mackey said. “The way that we’ve been fighting this so far has been through purely technological means.
“We’re fighting technology with technology. We try to figure out how much money we can dump into our IT systems, how much IT staff we can get and then we react.
“What we’re suggesting is a different way to look at cyber-security in general. A lot of the data breaches that have happened, happened specifically because of a human behavioral impetus. It started because of somebody, not necessarily a machine, that was an employee or had a user name and password. There’s always somebody behind the machine.”
Mackey’s presentation on cyber-security was part of a round-table discussion on the future of cyber-security and the impact criminology and sociology students can have in shaping that future.
“We don’t need people, necessarily, that have computer programming backgrounds, in fact most of the time I don’t think that’s a good idea,” Mackey said. “We need people with fresh perspectives on things and people who understand why people do things, how we motivate, how to train effectively. What better place to look for that than a criminology background.
“That’s what we focus on, right? Why did they do it, how did they do it and how do we prevent it. It’s what criminologists do already.”
“Seventy-two percent of all data breaches that have happened since 2005 have had a human behavioral component. That is to say, they would not have happened if that human behavioral action didn’t take place,” Mackey said. “We’re not focusing on this human behavioral aspect at all right now. It’s simply not the focus.”
Chetrice Mosely, cyber-security program director for Indiana’s Cybersecurity Council, echoed Mackey’s point, saying the over-sharing of information online is a personal issue, not a technological one.
“To the professor’s point, more than 70 percent of the problem is us,” Mosely said. “It’s not a technology issue, it’s not an IT division issue, it’s an employee issue, it’s a personal issue.
“We share way too much information online because either we think it’s already out there or we don’t care because we’re apathetic.”
The problem needs to be tackled in a human way, she said.
If hackers understand its easier to exploit people than it is technology, then security experts need to retrain the public, not just tweak the technology, she said.
The pair also touched on the great need for qualified people in the cybersecurity field.
More than 6 million jobs are expected discipline-wide in 2019, and forecasts say only about 3.5 million candidates will be ready. Mackey said the average starting salary of those breaking into cybersecurity is around $95,000.
But Mosely reiterated the professor’s earlier point that employers are looking for fresh eyes.
“What businesses are looking for is not people with an IT background, but people with critical thinking skills and who are problem solvers,” Mosely said. “They need the people who can communicate well and can quickly figure things out. If you can do that on day one, then they can teach you the IT stuff.”