Daily Archives: December 27, 2016

Human Factors in Cybersecurity

Humans are a centric focus in cybersecurity

Cybersecurity remains a top concern for businesses around the world. As an effort to combat cyber attacks and threats, businesses are continuously integrating technology without realizing that technological deterministic practices are detrimental and counterproductive. Cyber threats and vulnerabilities are evolving daily; however, some of the vulnerabilities are due to unintended consequences from integrating new technologies. Without a doubt, technology can aid in combatting cyber threats and mitigating vulnerabilities. One of the biggest anomalies in cybersecurity is neglecting the implications on humans.

Cybersecurity is a human problem not only in terms of strategy but also ensuring organizations are taking a human-centric approach to the cybersecurity. There are countless examples in cybersecurity when organizations forged ahead with technological integration rather than assessing the integration with a human-centric approach. Existential research on human factors in cybersecurity tends to focus primarily on human error rather than taking a comprehensive look at the problems. In fairness, the problem lies with the lack of scientific frameworks, concepts, and models regarding human-centric issues in cybersecurity.

An ongoing strategic initiative is the proliferation of Science of Security (SoS) and Science of Cyber Security (SoCS) by leveraging existing frameworks, models, and concepts from other domains to increase the scientific rigor of the sciences mentioned above. Industry, government, and academia are working feverishly to address hard problems in SoS and SoCS. It is imperative to align the need for scientific research on human factors in cybersecurity with the ongoing efforts of SoS and SoCS. Clearly, these strategic efforts are long-term; therefore, if businesses are looking for quicker solutions it is worth exploring how the aviation and nuclear power sectors utilize human factors to reduce human error, reduce automation and information overload, and increase focus on human cognitive abilities.

From a technical aspect, cybersecurity consists of a system of systems construct, also known as composability, which involves the interdependence and interconnection of complex systems with associated processes and a multitude of variables. The variables include (a) internal factors, (b) external factors, (c) threat factors, and (d) environmental factors. Aligned under each of the categories are a litany of attributes that constantly changes and affect humans. Ensuring humans remain a top priority in cybersecurity requires the CIO and CISO to articulate to C-Suite the significance of developing cybersecurity strategies that address human-centric requirements.

Another glaring issue is the lack of businesses that employ human factors professionals to evaluate their cybersecurity programs. In fact, the cybersecurity community needs to advocate for federal entities to add the Human Factors Specialty to the list of cybersecurity workforce roles. Cybersecurity varies between organizations, so the role of human factors experts is essential for entities with large and robust cybersecurity operations. Nonetheless, all companies can benefit from employing human factors specialists. Primarily, human factors professionals can assess the impact of cybersecurity operations on (a) human work roles, (b) human-centric weaknesses, (c) cyber training and awareness, (d) organizational climate, (e) systematic and organizational processes, (f) decision-making and (g) leadership are just to name a few.

Research recently revealed two phenomena in cybersecurity: security fatigue and alert anxiety. Both security fatigue and alert anxiety occur in cybersecurity due to cognitive overload stemming from information and automation overexertion that result in cyber professionals making human induced errors and poor decision-making. Human factors specialists can assist with developing processes for identifying security fatigue and alert anxiety. These two phenomena highlight the susceptibility of cyber professionals that are analogous to risks in other technical fields.

Employing human factors experts in cyber security requires executives allocating resources and working with industry, academia, and government to solidify the role of human factors professionals in cybersecurity. Until the integration of human factors professionals into cybersecurity, there will be a continuation of human induced errors, security fatigue, and alert anxiety. As a cybersecurity professional, I ask that you evaluate your operations and determine how a human factors expert can improve your efforts in preventing cyber-attacks and combatting cybersecurity threats.