New tools rely on the influence of experts in behavioral economics, risk psychology and neuroscience to limit errors humans make to raise risk of online attacks.
PARIS — Virus, "ransomware," data theft … Not a week goes by without the appearance of a new cyberthreat. And in a digitized world, the pressure has become huge for end users, who see themselves as the last bastion of humanity: "I should be careful — could clicking on this link contaminate my smartphone and, indirectly, my employer's computers, and then the whole Internet?" Digital security, which until recently was the prerogative of a few specialists, has become everyone's business.
But there's a problem: The aforementioned specialists must now share their knowledge with the public. And they're not prepared to do that.
Understanding the user
For a study to appear in the next issue of the IEEE Security & Privacy review, three researchers at Google asked 231 experts for three tips on protecting yourself against cyberattacks. They received, after eliminating repeats, 152 responses. "152 tips! How are you supposed to remember so much!" says Angela Sasse, professor of "human-centered security" at the University College London and director of the Research Institute in the Science of Cyber Security (RISCS). "One of today's biggest challenges for cybersecurity is to teach specialists how to reach users," she adds. In short, to make cybersecurity more human.
This is the exact opposite of what's been done since the first attempt to hack a computer remotely. In 1983, Kevin Mitnick, 20, tried to hack into the Pentagon's computers from a Californian university. Since then, IT systems have constantly demanded more technical resources. And it's been over 30 years of that not working. "We have a tendency to forget that humans make up the weak link in the digital security chain," says Emmanuel Germain, the adjunct director of the National Cyber-Security Agency of France (ANSSI).
"More than 90% of cyberattacks begin with a "phishing" attempt and an employee who falls for the trap," according to Jim Hansen, director general of PhishMe, an American organization specializing in "phishing" prevention. "These emails seem to come from a known source," he says, "but they really link to a pirating site to steal usernames and passwords."
Three links to reinforce
Do we have to be so concerned about end users? "In business, cybersecurity is made up of three links: management, which allocates financial and human resources; IT, which deploys these resources; and the end user, whose behavior is influenced by his employer's strategy," explained Benoît Grunemwald, a cybersecurity expert at Eset, an IT security company. "If a single one of these three links is weak, then the whole chain will be, too."
Senior management? Cybersecurity is too often seen as an unnecessary investment. If it works well, then the company isn't hacked and we don't see the point of it. "Its profitability is not obvious at first glance," says Gilles Desoblin, head of Internet security at SystemX, a technological research institute at Paris-Saclay. At least until now, digital security has been the business of a few geeks hard at work building a cyberbarrier. Convincing top managers that they'll have to invest in educating and developing tools adapted to the psychology of each end user will be harder.
Even IT departments still dream of an impenetrable IT citadel. "It's unrealistic: From the moment there are human users, zero-risk no longer exists," notes Eric Bonabeau, CEO of Icosystem, a business specializing in virtual simulation and artificial intelligence. The company has also done studies on human behavior and cybersecurity for the United States Department of Defense.
"We should instead think in terms of resilience," says Angela Sasse. "The company has to be able to continue to function, even if one or more employees have let an attack through." But for that to happen, there have to be other employees capable of stopping an attack from spreading. And so they have to be well-trained and well-equipped.
The end user? Today, he's the ideal scapegoat: We ask him simultaneously to be the last IT barrier of defense and to do all he can with his computer to finish his work as quickly as possible. "IT has always been ahead of speed and efficiency," says Alex Blau, adjunct director of Ideas42, a New York office specializing in behavioral sciences. "Consequently," he adds, "we are pushed to go fast, and so we don't think before clicking."
Under the influence of behavioral economics specialists, the psychology of risk, of decision-making and of neuroscience, new tools appear and new approaches are designed. "Every decision that affects security is a compromise between the importance of risk and the weight of the preventative measures taken," explains Eric Bonabeau. In such a department, computers are so well-protected that they can take dozens of minutes to turn on in the morning. During this time, senior officials read their "sensitive" emails on their personal smartphones.
Today, scientists are committed to understanding how people weigh pros and cons. "My goal is to develop cyber-protections that take individual personalities into account," says Tzipora Halevi, a professor in IT and information sciences at Brooklyn College in New York.
She and several of her colleagues are trying to develop profiles of common phishing victims. According to their findings, it appears that women, frequent Facebook users and those susceptible to negative emotions (anxiety, rage, guilt), are the most likely victims. But be careful of generalizing: These behavioral studies are only just beginning.