In any conflict, humans are impacted. In conflict, the best scenario is that the individual leaves unscathed and perhaps even unaware of what could have been their misfortune, whereas in the worst of cases – such as kinetic warfare – the impact can be the ultimate price: loss of life.
There is also a cruel truth of conflict that often gets looked over: those who survive may be living a hell on earth as they piece together what little they have left to move on. Instead of dying immediately, they may be bled to death over time. Herman Kahn’s book, On Thermonuclear War, in a way, describes such scenarios.
If this introduction seems a bit too grim for a cybersecurity conversation to you, then perhaps you are not looking into the cybersecurity question deep enough. By no means is this fear-mongering on my part, though I do believe we are taking part in a “slow bleed” right now. More succinctly, I am trying to illustrate the point that the cybersecurity challenge has a human element to it, which has traditionally been overlooked.
Perhaps part of the reasons is because we have put so much faith in our technological abilities and have generally looked at the cybersecurity challenge as a technical problem to be solved (it’s not). Similarly, there is an emotional element that has been understudied, leaving many of us “untouched” by cyber effects.
Let me ask you: what is the difference between being pickpocketed for the cash on you versus that same amount of money being stolen from your bank account through cybercrime?
In practice, the difference should be no difference at all, but I will suggest to you the “feeling” of those crimes is different. One may feel like an immediate violation, whereas the other may feel like you got scammed and only found out after the fact.
Along the same lines, how would you feel if you went to your mailbox and saw all your letters opened up? Is that any different than your e-mail being opened up?
These are just a couple of examples of the human element. In broader sense, we can think of it like this: at the micro level, an individual is impacted by cybercrime or their behaviour can act as the last line of defense in an elaborate cybersecurity defense scheme.
At the macro level, individuals are impacted by legislation changes and increasing costs. And we really start to get messy when we start mixing these elements with social engineering and information warfare, which are incredibly intertwined with emotion and psychology.
All these issues are part of the cybersecurity conversation. We have no choice but to address these issues unless, of course, we are ready to give up the standard of living we enjoy to something that resembled a pre-WWII economy.
Therefore, there can be no denying there is a human element to the cybersecurity conversation, yet we still focus the majority of our efforts and investments on the technical side of the cybersecurity challenge, whether it is for improved network defense or the utilization of artificial intelligence and machine learning.
I am not trying to be critical of these efforts, in fact. I approve of many, as seen here, where Paul Ferrillo and I discuss the need for artificial intelligence and machine learning, especially as we continue to create vast amounts of data that are beyond our human management capabilities.
Yet if we do not balance out this technical/people equation when trying to address our cybersecurity problems, we will not get ahead. In practice, we will just be throwing good money, time and effort after bad (all finite resources) as we fail to adapt fast enough to the change we are both facing and creating.
Remember, for every cool feature we add on our phone, we add potentially vulnerable code. And for every technological leap we bring to market – say like quantum computing – we have the propensity to crush decades’ worth of practice that we have become accustomed to.
What good comes from investing years into a system or professional certification that – within reason – will become obsolete within five years? The cybersecurity industry must not fall into the trap of preparing for the last war or as so many higher education institutions have: preparing you for the world of the past decade.
Let us accept as a given that the everyday user has a low awareness level regarding the cybersecurity conversation. I do not believe anybody with serious insight on the topic would think this is an unreasonable posture. Yet so long as this awareness level remains low, this fact will still continue to act as the single greatest vulnerability as we try to address the cybersecurity problem.
One topic I will discuss is the importance of labels and vocabulary. Ask “what do you think cybersecurity is?” to a room full of people, and it is quite possible you will get completely different answers from everybody. The word “cyber” has been mystified, yet if you look at cultures – such as the Russians or Chinese – they do not necessarily use the word natively. Rather, they use “information security” to describe their problems (and I would suggest that gives them a strategic advantage).
Therefore, I would ask you to look at “cybersecurity” through this simple equation as you go through this series: Network Security + Information Security = Data Security. I believe splitting up the problem like this will make a significant difference on how we solve our problems.
So, it is time to talk about some of these human element issues in more depth, which is the purpose of this series. I would like to thank Tripwire for allowing me to put together these posts and hope you will all take something away from them.
The first post will focus on a very broad conversation about how we use information and what it means to us.