When the world gets closer.

We help you see farther.

Sign up to our expressly international daily newsletter.


The Weakest Link In Cybersecurity Systems? You And Me

New tools rely on the influence of experts in behavioral economics, risk psychology and neuroscience to limit errors humans make to raise risk of online attacks.

Gone phishing?
Gone phishing?
Jacques Henno

PARIS — Virus, "ransomware," data theft … Not a week goes by without the appearance of a new cyberthreat. And in a digitized world, the pressure has become huge for end users, who see themselves as the last bastion of humanity: "I should be careful — could clicking on this link contaminate my smartphone and, indirectly, my employer's computers, and then the whole Internet?" Digital security, which until recently was the prerogative of a few specialists, has become everyone's business.

But there's a problem: The aforementioned specialists must now share their knowledge with the public. And they're not prepared to do that.

Understanding the user

For a study to appear in the next issue of the IEEE Security & Privacy review, three researchers at Google asked 231 experts for three tips on protecting yourself against cyberattacks. They received, after eliminating repeats, 152 responses. "152 tips! How are you supposed to remember so much!" says Angela Sasse, professor of "human-centered security" at the University College London and director of the Research Institute in the Science of Cyber Security (RISCS). "One of today's biggest challenges for cybersecurity is to teach specialists how to reach users," she adds. In short, to make cybersecurity more human.

This is the exact opposite of what's been done since the first attempt to hack a computer remotely. In 1983, Kevin Mitnick, 20, tried to hack into the Pentagon's computers from a Californian university. Since then, IT systems have constantly demanded more technical resources. And it's been over 30 years of that not working. "We have a tendency to forget that humans make up the weak link in the digital security chain," says Emmanuel Germain, the adjunct director of the National Cyber-Security Agency of France (ANSSI).

"More than 90% of cyberattacks begin with a "phishing" attempt and an employee who falls for the trap," according to Jim Hansen, director general of PhishMe, an American organization specializing in "phishing" prevention. "These emails seem to come from a known source," he says, "but they really link to a pirating site to steal usernames and passwords."

Three links to reinforce

Do we have to be so concerned about end users? "In business, cybersecurity is made up of three links: management, which allocates financial and human resources; IT, which deploys these resources; and the end user, whose behavior is influenced by his employer's strategy," explained Benoît Grunemwald, a cybersecurity expert at Eset, an IT security company. "If a single one of these three links is weak, then the whole chain will be, too."

Senior management? Cybersecurity is too often seen as an unnecessary investment. If it works well, then the company isn't hacked and we don't see the point of it. "Its profitability is not obvious at first glance," says Gilles Desoblin, head of Internet security at SystemX, a technological research institute at Paris-Saclay. At least until now, digital security has been the business of a few geeks hard at work building a cyberbarrier. Convincing top managers that they'll have to invest in educating and developing tools adapted to the psychology of each end user will be harder.

Even IT departments still dream of an impenetrable IT citadel. "It's unrealistic: From the moment there are human users, zero-risk no longer exists," notes Eric Bonabeau, CEO of Icosystem, a business specializing in virtual simulation and artificial intelligence. The company has also done studies on human behavior and cybersecurity for the United States Department of Defense.

"We should instead think in terms of resilience," says Angela Sasse. "The company has to be able to continue to function, even if one or more employees have let an attack through." But for that to happen, there have to be other employees capable of stopping an attack from spreading. And so they have to be well-trained and well-equipped.

New approaches

The end user? Today, he's the ideal scapegoat: We ask him simultaneously to be the last IT barrier of defense and to do all he can with his computer to finish his work as quickly as possible. "IT has always been ahead of speed and efficiency," says Alex Blau, adjunct director of Ideas42, a New York office specializing in behavioral sciences. "Consequently," he adds, "we are pushed to go fast, and so we don't think before clicking."

Under the influence of behavioral economics specialists, the psychology of risk, of decision-making and of neuroscience, new tools appear and new approaches are designed. "Every decision that affects security is a compromise between the importance of risk and the weight of the preventative measures taken," explains Eric Bonabeau. In such a department, computers are so well-protected that they can take dozens of minutes to turn on in the morning. During this time, senior officials read their "sensitive" emails on their personal smartphones.

Considering personalities

Today, scientists are committed to understanding how people weigh pros and cons. "My goal is to develop cyber-protections that take individual personalities into account," says Tzipora Halevi, a professor in IT and information sciences at Brooklyn College in New York.

She and several of her colleagues are trying to develop profiles of common phishing victims. According to their findings, it appears that women, frequent Facebook users and those susceptible to negative emotions (anxiety, rage, guilt), are the most likely victims. But be careful of generalizing: These behavioral studies are only just beginning.

You've reached your limit of free articles.

To read the full story, start your free trial today.

Get unlimited access. Cancel anytime.

Exclusive coverage from the world's top sources, in English for the first time.

Insights from the widest range of perspectives, languages and countries.

FOCUS: Russia-Ukraine War

That Man In Mariupol: Is Putin Using A Body Double To Avoid Public Appearances?

Putin really is meeting with Xi in Moscow — we know that. But there are credible experts saying that the person who showed up in Mariupol the day before was someone else — the latest report that the Russian president uses a doppelganger for meetings and appearances.

screen grab of Putin in a dark down jacket

During the visit to Mariupol, the Presidential office only released screen grabs of a video

Russian President Press Office/TASS via ZUMA
Anna Akage

Have no doubt, the Vladimir Putin we’re seeing alongside Xi Jinping this week is the real Vladimir Putin. But it’s a question that is being asked after a range of credible experts have accused the Russian president of sending a body double for a high-profile visit this past weekend in the occupied Ukrainian city of Mariupol.

Stay up-to-date with the latest on the Russia-Ukraine war, with our exclusive international coverage.

Sign up to our free daily newsletter.

Reports and conspiracy theories have circulated in the past about the Russian leader using a stand-in because of health or security issues. But the reaction to the Kremlin leader's trip to Mariupol is the first time that multiple credible sources — including those who’ve spent time with him in the past — have cast doubt on the identity of the man who showed up in the southeastern Ukrainian city that Russia took over last spring after a months-long siege.

Russian opposition politician Gennady Gudkov is among those who confidently claim that a Putin look-alike, or rather one of his look-alikes, was in the Ukrainian city.

"Now that there is a war going on, I don't rule out the possibility that someone strongly resembling or disguised as Putin is playing his role," Gudkov said.

Keep reading...Show less

You've reached your limit of free articles.

To read the full story, start your free trial today.

Get unlimited access. Cancel anytime.

Exclusive coverage from the world's top sources, in English for the first time.

Insights from the widest range of perspectives, languages and countries.

The latest