Wetware: The #Often #Overlooked #Crucial #Factor in #Cybersecurity

Cybersecurity. With all of the continuing successful cyber-attacks on critical infrastructure such as finance and energy, this word is probably more top of mind than at any other time in history. Yet, bring up the topic of cybersecurity, and its sister, data privacy, and the most likely reactions that will bubble up are things like encryption, vulnerabilities, malware, software updates, access control, etc. etc.

What all of these have in common is that they are technology concepts. While very important, these concepts tend to invoke a reaction that cybersecurity is best left to “people in white coats,” the technologists who deal with the infrastructure protecting our sensitive information. That would be wrong.

Quite often, the most vulnerable part of any cybersecurity regime is the “device between the keyboard (or touchscreen) and the seat,” i.e. the human. After all, there is a reason why one of the oldest cyberattacks, the phishing e-mail (sending e-mails loaded with malware to users) continues to this day. Criminals have become very good at what is often called social engineering, in this case tailoring their poison so that even sophisticated users will often click on that loaded e-mail.

Even with the inevitable pitfalls, the economic and societal benefits that today’s networked society have brought about are undeniable. There are still plenty of benefits left to reap as the Internet drills further into the devices that support our lives. To continue this march of progress, it’s clear that our society needs to come up with more effective approaches to cybersecurity and data privacy. As we tackle this, addressing the human element is just as important as the technical one.

Design: It’s not just for cars

There are two concrete areas in particular where “wetware” plays a major role in cybersecurity. One that can be counter intuitive is design.  When people think about design, they often focus just on the process of creating pleasing shapes and interfaces for products. The process really goes deeper though, it can be described as considering the human element in the ecosystem around a product or process. It is in this definition that design needs to play a central role in cybersecurity since, after all, even the best cybersecurity techniques are useless if humans end up bypassing them.

A very good example of the pitfalls of not using design principles comes from a recent NIST (U.S. National Institute of Standards and Technology) revision of their guidelines on password creation. While NIST cybersecurity guidelines only apply to the U.S. Federal government, they are widely used throughout industry as a guide. The password guidelines are typical. Most readers are probably familiar with the typical guidelines for creating passwords; they need to be of a certain length, contain numbers, special characters, and a mixture of upper and lower-case letters. Passwords also need to be changed at certain intervals. All of these are based on NIST guidelines.

In June 2017 NIST significantly revised its guidelines to recommend long, easily remembered passwords that are NOT changed over time. In an interview, a senior NIST official explained how human behavior factors drove these revisions. NIST found that users were coming up with workarounds that allowed them to remember their passwords but in the end compromised the security the guidelines meant to instill. One example is the requirement to change passwords frequently caused users to constantly change one character in the password according to a certain pattern. This made the password easy to remember but did nothing to improve security as the guidelines intended.

As the NIST revision shows, cybersecurity and data privacy researchers are increasingly looking at human factors. The FTC’s (U.S. Federal Trade Commission) 2017 PrivacyConevent prominently featured human behavior research around such topics as the best times for apps to prompt users about their privacy preferences, how users perceive certain types of online tracking as “creepy,” and how users changed their search behavior after Google changed its privacy policy in 2012.

Policy: A Reaction to Fear

Policy is also another human factor in cybersecurity. While at least in the U.S. policy is an anathema to the technology industry, at its core, policy is a way that governments try to address their constituents’ fears. With fears about cybersecurity and data privacy now at a high pitch, like it or not, policy is going to be part of the cybersecurity landscape.

Probably the most watched policy initiative in this area right now is the European Union regulation called GDPR (General Data Protection Regulation). Scheduled to go into force in May 2018, the GDPR is getting attention because it is applicable to any company that processes EU citizens’ data, including companies outside of the EU. Also, violations could result in fines of up to 4% of their worldwide revenue. In addition, countries outside of the EU such as Argentina are also moving their privacy regulations to be more similar to the GDPR.

While many details about how the GDPR will be implemented are still up in the air, it’s expected to have effects on cybersecurity and data privacy in a number of ways. One example is simply that many companies are expected to shore up their cybersecurity measures to better avoid potential breaches of personal data. The regulations also require companies to follow data privacy by design which generally means building in proper technologies and procedures during the entire development process rather than tacking them on at the end.

Regardless of technology companies’ preferences, policy makers’ interests in cybersecurity and data protection is here to stay. The technology industry needs to also engage with this area of human behavior to bring about more effective measures going forward.

After 13 years working for Nikkei Business Publications and several years of consulting, I now work for Intertrust Technologies. Any opinions expressed here are my own and do not reflect my employer.