National and International Issues

The Importance of Human Factor in Cybersecurity

                             "The key to social engineering is influencing a person to do something that allows the hacker to gain access to information or your network." 
                                                                                                                                                                                                                                - Bruce Schneier

Cybersecurity is the most significant challenge faced by any organization or individual today. People are generally oblivious to the cyberwar that has been waged upon us by our adversary. We must, therefore, prepare well to defend ourselves. The human factor plays an important role in cybersecurity and remains the weakest link in this chain, yet public awareness and visibility of cybersecurity to common users remains inadequate. Cybersecurity professionals can even fall prey to cyberattacks as the attacker may use social engineering tricks exploiting human psychological vulnerabilities.



The solutions to improve network security such as firewalls, intrusion detection, and biometric devices etc. aim to provide protection against a wide range of threats but they provide protection against inward facing threats that originate from external sources or attackers. Such security solutions which are widely used do not consider ‘insider threat’ or threats arising from human factor. Humans, either intentionally or unintentionally, can easily undermine any cybersecurity technology thus posing a threat to themselves or their organizations. In this article we will mostly be discussing the unintended human behaviour leading to cybersecurity breaches. People are often unaware and ignorant of the fact that they have important information or data, and that there are risks attached to the information assets they are privy to and that their casual behaviour can lead to information security leaks which can cause irreparable damage.


We must understand that we are in a state of cyberwar which has certain similarities with conventional wars but in case of cyberwar, strategy is much more complex as it involves a lot more enemies which are often unknown and remain anonymous. The threat spectrum is much broader and ever changing.It involves state and non-state actors, and a large number of diverse motivational factors by enemy, that everyone is vulnerable, the asset’s value and vulnerabilities are often unknown to the owner but known to enemy.


If we talk about Pakistan’s cyberspace, leaving aside critical infrastructures and just taking common users into consideration, we have 155 million mobile subscribers (74.48% penetration), out of these 63 million are 3G/4G subscribers and there are 65 million broadband Internet subscribers (31.19% penetration), as per PTA’s January 2019 data. These users are vulnerable in cyberspace and not much aware about cyber threats they are facing and their vulnerabilities that may be exploited by attackers. There is a need to make these users aware of the potential cyber threats and recommended safeguards against such threats.         
We must understand that we are in a state of cyberwar which has certain similarities with conventional wars but in case of cyberwar, strategy is much more complex as it involves a lot more enemies which are often unknown and remain anonymous. The threat spectrum is much broader and ever changing. It involves state and non-state actors, and a large number of diverse motivational factors by enemy, that everyone is vulnerable, the asset’s value and vulnerabilities are often unknown to the owner but known to enemy. In such scenarios attacks often remain undetected unless significant and irreparable damage has already been caused and enemy does not require physical access to assets for destruction. 
Cyberspace is neither bound by physical or national boundaries nor geographical or political divisions can be applied. Non-physical nature of cyberspace is causing cyberattacks to be launched by numerous actors across the globe from anywhere. The attackers in cyberspace may remain anonymous and are thus difficult to track even after the attack.
Home users are more vulnerable and prone to cyberattacks as they offer an easy target for attackers. This is due to the fact that home users have low level of security awareness.  Some of the reasons for security lapses include: increasing online activities including social media networks, none or very little investment in security systems, not following security policies or guidelines and leaving default computer and application settings. Home users’ sensitive data must abide by confidentiality, integrity and availability principles.  Confidentiality means only authorised people must have access to data and unauthorised people must not receive or intercept the information; integrity means information is not modified and availability means information is available to authorised people at all times. There is a common misconception among home users that they do not have any valuable information, and thus are not a target of significance. Whereas the fact is that each piece of information is important as a small piece of information may be a missing part of bigger intelligence mosaic. We must understand that an insignificant information for one person may be of great significance for someone else. People must be aware that they have valuable assets that must be secured. These are categorised into four basic categories: hardware (PC, laptop, desktop, hard disk, CPU), software (operating system and software applications), information (personal information, credit card details, bank accounts details, passwords) and communication (e-mails, instant messenger, browsing activities).        


Organisations often deploy technological solutions and policies to help with cybersecurity issues but forget about training and most importantly cybersecurity awareness of their employees. This leads to failure of technology and policies. People, technology and policies must be integrated together to combat cybersecurity issues. 


Potential losses to common users due to computer security attacks include: data loss or theft, identity theft, financial loss, unavailability of resources, misuse of computer resources, and loss of trust etc. The cyberattacks are of many different types which could be combined together to enhance their impact and cause damage to their victims. Some common types of cyberattacks include: malware attacks, email attacks, mobile code attacks, denial of service attacks, botnet, identity theft, and packet sniffing etc. Malware (malicious software) may be attached with a word, excel or pdf file that appears to be safe but is actually harmful. Cyberattacks are becoming much more sophisticated using social engineering techniques by exploiting the common weaknesses of human psychology. Hackers carry out targeted operations where they study the behaviour, interests, affiliations and weaknesses of their target and launch well-planned attacks which are often successful. At times hackers combine other techniques with cyberattack, like phone calls and SMS to win the confidence of victim and improve the chances of their success.


Internet appears to be free but this is not the case as surveillance is the business model of the Internet and all its users are under continuous monitoring. In addition to the files, data or any other information stored on a computer’s hard disk or transferred over the Internet – information about identity, personality, activities, sentiments, affiliations, likes, dislikes, etc. – is continuously recorded and used by different organisations, companies, hackers, search engines, advertising agencies and other businesses for their advantage


Organisations often deploy technological solutions and policies to help with cybersecurity issues but forget about training and most importantly cybersecurity awareness of their employees. This leads to failure of technology and policies. People, technology and policies must be integrated together to combat cybersecurity issues.
There is no doubt that Internet has brought a lot of opportunities but at the same time there is a large number of privacy concerns and Internet has become a major source for exploiting cyber vulnerabilities. Internet appears to be free but this is not the case as surveillance is the business model of the Internet and all its users are under continuous monitoring. In addition to the files, data or any other information stored on a computer’s hard disk or transferred over the Internet – information about identity, personality, activities, sentiments, affiliations, likes, and dislikes, etc. – is continuously recorded and used by different organisations, companies, hackers, search engines, advertising agencies and other businesses for their advantage. Any computer connected to the Internet is not safe thus no confidential data or information should be kept on such a system. Simple disconnection from Internet is not enough, a protected system is one which has never been connected to the Internet, although protection is not guaranteed even in this case as portable storage devices may cause malware or data transfer without the user’s knowledge. 
Use of portable storage devices such as USB flash drives is not safe as this may even cause malware infection to any offline system. Usually USB flash drives are the most common source of spreading a wide variety of malware.  They must be used with ultimate care after antivirus scanning and removing all data from these immediately after use. Physical security of USB drives is also important as these can easily be lost or stolen. 
Wi-Fi is commonly used nowadays as it provides access to the Internet without wires. Wireless connectivity appears great due to mobility but actually there are a lot of security risks associated with it. Security risks increase manifolds in case of open or public Wi-Fi networks so connecting to such unsecure networks should be avoided. Personal or home Wi-Fi networks with default passwords and settings are at risk so all settings must be personalised initially with strong passwords and passwords must be frequently changed. Strong encryption should be used on wireless routers, Wi-Fi router must be turned off once it is not required and router’s software must be kept up-to-date.         
All users must be aware of some basic actions to remain secure including:
•  Use strong, easy to remember but difficult to guess passwords and change them regularly.
•  Regular update of operating system and other installed softwares, especially anti-virus.
•  Use of updated anti-virus and anti-spyware software. 
•   Regular backup of important files. 
•  Use of encryption techniques and digital signatures. 
•  Use of firewall and intrusion detection systems. 
•  Being vigilant and following the best security practices while staying online and surfing over the Internet.
•  Being careful of various social engineering attack techniques.
•  Awareness of physical surroundings to avoid shoulder surfing.
Being vigilant and reporting any suspicious behaviour. 
•  Physical security of computing infrastructure.
•  Sharing of limited personal information online.
•  Awareness of current security scenario and attack techniques.



Fig1


Computer users want security and convenience at the same time but unfortunately this is not possible. Consider a figure where security, functionality and ease of use are lying at three corners of the triangle, moving the ball towards any corner will move it away from the other two. (Fig 1) Thus implementing higher level of security means a lower functionality and ease of use which could be annoying for most users. In contrast, increasing functionality in applications or making a system or application easier to use will make it more vulnerable and less secure. New applications which are easier to use and are coming with a lot of functionalities are actually associated with a lot of vulnerabilities which could be exploited by hackers and are thus less secure. Hence, in any system or application the real challenge is  a balance between security, functionality and ease of use.  
Human factor in cybersecurity will remain the weakest link that is applicable even to computer users with enough knowledge and requisite training as it is more of a behavioural rather than a knowledge issue. Humans are often unknowingly and unwillingly causing cybersecurity breaches due to lack of awareness and careless attitude. Consequently, there is a need to continuously make people aware of cybersecurity and cultivate culture of positive security behaviour. Technology is often falsely considered as a solution to cybersecurity related issues whereas it is actually a human factor problem. A cyberattack exploiting human vulnerabilities may bypass any technological protection. The most sophisticated and finest cybersecurity technology remains ineffective and will eventually be unsuccessful if computer users are not aware or concerned about cybersecurity.


E-mail: [email protected]

Read 33 times


Share Your Thoughts

Success/Error Message Goes Here
Note: Please login to your account and leave your thoughts on this article.

TOP