When the world gets closer.

We help you see farther.

Sign up to our expressly international daily newsletter.

Already a subscriber? Log in .

You've reached your limit of one free article.

Get unlimited access to Worldcrunch

You can cancel anytime .


Exclusive International news coverage

Ad-free experience NEW

Weekly digital Magazine NEW

9 daily & weekly Newsletters

Access to Worldcrunch archives

Free trial

30-days free access, then $2.90
per month.

Annual Access BEST VALUE

$19.90 per year, save $14.90 compared to monthly billing.save $14.90.

Subscribe to Worldcrunch

The Weakest Link In Cybersecurity Systems? You And Me

New tools rely on the influence of experts in behavioral economics, risk psychology and neuroscience to limit errors humans make to raise risk of online attacks.

Gone phishing?
Gone phishing?
Jacques Henno

PARIS — Virus, "ransomware," data theft … Not a week goes by without the appearance of a new cyberthreat. And in a digitized world, the pressure has become huge for end users, who see themselves as the last bastion of humanity: "I should be careful — could clicking on this link contaminate my smartphone and, indirectly, my employer's computers, and then the whole Internet?" Digital security, which until recently was the prerogative of a few specialists, has become everyone's business.

But there's a problem: The aforementioned specialists must now share their knowledge with the public. And they're not prepared to do that.

Understanding the user

For a study to appear in the next issue of the IEEE Security & Privacy review, three researchers at Google asked 231 experts for three tips on protecting yourself against cyberattacks. They received, after eliminating repeats, 152 responses. "152 tips! How are you supposed to remember so much!" says Angela Sasse, professor of "human-centered security" at the University College London and director of the Research Institute in the Science of Cyber Security (RISCS). "One of today's biggest challenges for cybersecurity is to teach specialists how to reach users," she adds. In short, to make cybersecurity more human.

This is the exact opposite of what's been done since the first attempt to hack a computer remotely. In 1983, Kevin Mitnick, 20, tried to hack into the Pentagon's computers from a Californian university. Since then, IT systems have constantly demanded more technical resources. And it's been over 30 years of that not working. "We have a tendency to forget that humans make up the weak link in the digital security chain," says Emmanuel Germain, the adjunct director of the National Cyber-Security Agency of France (ANSSI).

"More than 90% of cyberattacks begin with a "phishing" attempt and an employee who falls for the trap," according to Jim Hansen, director general of PhishMe, an American organization specializing in "phishing" prevention. "These emails seem to come from a known source," he says, "but they really link to a pirating site to steal usernames and passwords."

Three links to reinforce

Do we have to be so concerned about end users? "In business, cybersecurity is made up of three links: management, which allocates financial and human resources; IT, which deploys these resources; and the end user, whose behavior is influenced by his employer's strategy," explained Benoît Grunemwald, a cybersecurity expert at Eset, an IT security company. "If a single one of these three links is weak, then the whole chain will be, too."

Senior management? Cybersecurity is too often seen as an unnecessary investment. If it works well, then the company isn't hacked and we don't see the point of it. "Its profitability is not obvious at first glance," says Gilles Desoblin, head of Internet security at SystemX, a technological research institute at Paris-Saclay. At least until now, digital security has been the business of a few geeks hard at work building a cyberbarrier. Convincing top managers that they'll have to invest in educating and developing tools adapted to the psychology of each end user will be harder.

Even IT departments still dream of an impenetrable IT citadel. "It's unrealistic: From the moment there are human users, zero-risk no longer exists," notes Eric Bonabeau, CEO of Icosystem, a business specializing in virtual simulation and artificial intelligence. The company has also done studies on human behavior and cybersecurity for the United States Department of Defense.

"We should instead think in terms of resilience," says Angela Sasse. "The company has to be able to continue to function, even if one or more employees have let an attack through." But for that to happen, there have to be other employees capable of stopping an attack from spreading. And so they have to be well-trained and well-equipped.

New approaches

The end user? Today, he's the ideal scapegoat: We ask him simultaneously to be the last IT barrier of defense and to do all he can with his computer to finish his work as quickly as possible. "IT has always been ahead of speed and efficiency," says Alex Blau, adjunct director of Ideas42, a New York office specializing in behavioral sciences. "Consequently," he adds, "we are pushed to go fast, and so we don't think before clicking."

Under the influence of behavioral economics specialists, the psychology of risk, of decision-making and of neuroscience, new tools appear and new approaches are designed. "Every decision that affects security is a compromise between the importance of risk and the weight of the preventative measures taken," explains Eric Bonabeau. In such a department, computers are so well-protected that they can take dozens of minutes to turn on in the morning. During this time, senior officials read their "sensitive" emails on their personal smartphones.

Considering personalities

Today, scientists are committed to understanding how people weigh pros and cons. "My goal is to develop cyber-protections that take individual personalities into account," says Tzipora Halevi, a professor in IT and information sciences at Brooklyn College in New York.

She and several of her colleagues are trying to develop profiles of common phishing victims. According to their findings, it appears that women, frequent Facebook users and those susceptible to negative emotions (anxiety, rage, guilt), are the most likely victims. But be careful of generalizing: These behavioral studies are only just beginning.

You've reached your limit of free articles.

To read the full story, start your free trial today.

Get unlimited access. Cancel anytime.

Exclusive coverage from the world's top sources, in English for the first time.

Insights from the widest range of perspectives, languages and countries.


Is Disney's "Wish" Spreading A Subtle Anti-Christian Message To Kids?

Disney's new movie "Wish" is being touted as a new children's blockbuster to celebrate the company's 100th anniversary. But some Christians may see the portrayal of the villain as God-like and turning wishes into prayers as the ultimate denial of the true message of Christmas.

photo of a kid running out of a church

For the Christmas holiday season?

Joseph Holmes

Christians have always had a love-hate relationship with Disney since I can remember. Growing up in the Christian culture of the 1990s and early 2000s, all the Christian parents I knew loved watching Disney movies with their kids – but have always had an uncomfortable relationship with some of its messages. It was due to the constant Disney tropes of “follow your heart philosophy” and “junior knows best” disdain for authority figures like parents that angered so many. Even so, most Christians felt the benefits had outweighed the costs.

That all seems to have changed as of late, with Disney being hit more and more by claims from conservatives (including Christian conservatives) that Disney is pushing more and more radical progressive social agendas, This has coincided with a steep drop at the box office for Disney.

Keep reading...Show less

The latest