The Weakest Link In Cybersecurity Systems? You And Me

New tools rely on the influence of experts in behavioral economics, risk psychology and neuroscience to limit errors humans make to raise risk of online attacks.

Gone phishing?
Gone phishing?
Jacques Henno

PARIS — Virus, "ransomware," data theft … Not a week goes by without the appearance of a new cyberthreat. And in a digitized world, the pressure has become huge for end users, who see themselves as the last bastion of humanity: "I should be careful — could clicking on this link contaminate my smartphone and, indirectly, my employer's computers, and then the whole Internet?" Digital security, which until recently was the prerogative of a few specialists, has become everyone's business.

But there's a problem: The aforementioned specialists must now share their knowledge with the public. And they're not prepared to do that.

Understanding the user

For a study to appear in the next issue of the IEEE Security & Privacy review, three researchers at Google asked 231 experts for three tips on protecting yourself against cyberattacks. They received, after eliminating repeats, 152 responses. "152 tips! How are you supposed to remember so much!" says Angela Sasse, professor of "human-centered security" at the University College London and director of the Research Institute in the Science of Cyber Security (RISCS). "One of today's biggest challenges for cybersecurity is to teach specialists how to reach users," she adds. In short, to make cybersecurity more human.

This is the exact opposite of what's been done since the first attempt to hack a computer remotely. In 1983, Kevin Mitnick, 20, tried to hack into the Pentagon's computers from a Californian university. Since then, IT systems have constantly demanded more technical resources. And it's been over 30 years of that not working. "We have a tendency to forget that humans make up the weak link in the digital security chain," says Emmanuel Germain, the adjunct director of the National Cyber-Security Agency of France (ANSSI).

"More than 90% of cyberattacks begin with a "phishing" attempt and an employee who falls for the trap," according to Jim Hansen, director general of PhishMe, an American organization specializing in "phishing" prevention. "These emails seem to come from a known source," he says, "but they really link to a pirating site to steal usernames and passwords."

Three links to reinforce

Do we have to be so concerned about end users? "In business, cybersecurity is made up of three links: management, which allocates financial and human resources; IT, which deploys these resources; and the end user, whose behavior is influenced by his employer's strategy," explained Benoît Grunemwald, a cybersecurity expert at Eset, an IT security company. "If a single one of these three links is weak, then the whole chain will be, too."

Senior management? Cybersecurity is too often seen as an unnecessary investment. If it works well, then the company isn't hacked and we don't see the point of it. "Its profitability is not obvious at first glance," says Gilles Desoblin, head of Internet security at SystemX, a technological research institute at Paris-Saclay. At least until now, digital security has been the business of a few geeks hard at work building a cyberbarrier. Convincing top managers that they'll have to invest in educating and developing tools adapted to the psychology of each end user will be harder.

Even IT departments still dream of an impenetrable IT citadel. "It's unrealistic: From the moment there are human users, zero-risk no longer exists," notes Eric Bonabeau, CEO of Icosystem, a business specializing in virtual simulation and artificial intelligence. The company has also done studies on human behavior and cybersecurity for the United States Department of Defense.

"We should instead think in terms of resilience," says Angela Sasse. "The company has to be able to continue to function, even if one or more employees have let an attack through." But for that to happen, there have to be other employees capable of stopping an attack from spreading. And so they have to be well-trained and well-equipped.

New approaches

The end user? Today, he's the ideal scapegoat: We ask him simultaneously to be the last IT barrier of defense and to do all he can with his computer to finish his work as quickly as possible. "IT has always been ahead of speed and efficiency," says Alex Blau, adjunct director of Ideas42, a New York office specializing in behavioral sciences. "Consequently," he adds, "we are pushed to go fast, and so we don't think before clicking."

Under the influence of behavioral economics specialists, the psychology of risk, of decision-making and of neuroscience, new tools appear and new approaches are designed. "Every decision that affects security is a compromise between the importance of risk and the weight of the preventative measures taken," explains Eric Bonabeau. In such a department, computers are so well-protected that they can take dozens of minutes to turn on in the morning. During this time, senior officials read their "sensitive" emails on their personal smartphones.

Considering personalities

Today, scientists are committed to understanding how people weigh pros and cons. "My goal is to develop cyber-protections that take individual personalities into account," says Tzipora Halevi, a professor in IT and information sciences at Brooklyn College in New York.

She and several of her colleagues are trying to develop profiles of common phishing victims. According to their findings, it appears that women, frequent Facebook users and those susceptible to negative emotions (anxiety, rage, guilt), are the most likely victims. But be careful of generalizing: These behavioral studies are only just beginning.

Keep up with the world. Break out of the bubble.
Sign up to our expressly international daily newsletter!

Ecological Angst In India, A Mining Dumpsite As Neighbor

Local villagers in western India have been forced to live with a mining waste site on the edge of town. What happens when you wake up one day and the giant mound of industrial waste has imploded?

The mining dumpsite is situated just outside of the Badi village in the coastal state of Gujarat

Sukanya Shantha

BADI — Last week, when the men and women from the Bharwad community in this small village in western India stepped out for their daily work to herd livestock, they were greeted with a strange sight.

The 20-meter-high small hill that had formed at the open-cast mining dumpsite had suddenly sunk. Unsure of the reason behind the sudden caving-in, they immediately informed other villagers. In no time, word had traveled far, even drawing the attention of environment specialists and activists from outside town.

This mining dumpsite situated less than 500 meters outside of the Badi village in the coastal state of Gujarat has been a matter of serious concern ever since the Gujarat Power Corporation Limited began lignite mining work here in early 2017. The power plant is run by the Power Gujarat State Electricity Corporation Limited, which was previously known as the Bhavnagar Energy Company Ltd.

Vasudev Gohil, a 43-year-old resident of Badi village says that though the dumping site is technically situated outside the village, locals must pass the area on a daily basis.

"We are constantly on tenterhooks and looking for danger signs," he says. Indeed, their state of alert is how the sudden change in the shape of the dumpsite was noticed in the first place.

Can you trust environmental officials?

For someone visiting the place for the first time, the changes may not stand out. "But we have lived all our lives here, we know every little detail of this village. And when a 150-meter-long stretch cave-in by over 25-30 feet, the change can't be overlooked," Gohil adds.

This is not the first time that the dumpsite has worried local residents. Last November, a large part of the flattened part of the dumpsite had developed deep cracks and several flat areas had suddenly got elevated. While the officials had attributed this significant elevation to the high pressure of water in the upper strata of soil in the region, environment experts had pointed to seismic activities. The change is evident even today, nearly a year since it happened.

It could have sunk because of the rain.

After the recent incident, when the villagers raised an alarm and sent a written complaint to the regional Gujarat Pollution Control Board, an official visit to the site was arranged, along with the district administration and the mining department.

The regional pollution board officer Bhavnagar, A.G. Oza, insists the changes "aren't worrisome" and attributes it to the weather.

"The area received heavy rain this time. It is possible that the soil could have sunk in because of the rain," he tells The Wire. The Board, he says, along with the mining department, is now trying to assess if the caving-in had any impact on the ground surface.

"We visited the site as soon as a complaint was made. Samples have already been sent to the laboratory and we will have a clear idea only once the reports are made available," Oza adds.

Women from the Surkha village have to travel several kilometers to find potable water

Sukanya Shantha/The Wire

A questionable claim

That the dumpsite had sunk in was noticeable for at least three days between October 1 and 3, but Rohit Prajapati of an environmental watchdog group Paryavaran Suraksha Samiti, noted that it was not the first time.

"This is the third time in four years that something so strange is happening. It is a disaster in the making and the authorities ought to examine the root cause of the problem," Prajapati says, adding that the department has repeatedly failed to properly address the issue.

He also contests the GPCB's claim that excess rain could lead to something so drastic. "Then why was similar impact not seen on other dumping sites in the region? One cannot arrive at conclusions for geological changes without a deeper study of them," he says. "It can have deadly implications."

Living in pollution

The villagers have also accused the GPCB of overlooking their complaint of water pollution which has rendered a large part of the land, most importantly, the gauchar or grazing land, useless.

"In the absence of a wall or a barrier, the pollutant has freely mixed with the water bodies here and has slowly started polluting both our soil and water," complains 23- year-old Nikul Kantharia.

He says ever since the mining project took off in the region, he, like most other villagers has been forced to take his livestock farther away to graze. "Nothing grows on the grazing land anymore and the grass closer to the dumpsite makes our cattle ill," Kantharia claims.

The mining work should have been stopped long ago

Prajapati and Bharat Jambucha, a well-known environmental activist and proponent of organic farming from the region, both point to blatant violations of environmental laws in the execution of mining work, with at least 12 violations cited by local officials. "But nothing happened after that. Mining work has continued without any hassles," Jambucha says. Among some glaring violations include the absence of a boundary wall around the dumping site and proper disposal of mining effluents.

The mining work has also continued without a most basic requirement – effluent treatment plant and sewage treatment plant at the mining site, Prajapati points out. "The mining work should have been stopped long ago. And the company should have been levied a heavy fine. But no such thing happened," he adds.

In some villages, the groundwater level has depleted over the past few years and villagers attribute it to the mining project. Women from Surkha village travel several kilometers outside for potable water. "This is new. Until five years ago, we had some water in the village and did not have to lug water every day," says Shilaben Kantharia.

The mine has affected the landscape around the villages

Sukanya Shantha/The Wire

Resisting lignite mining

The lignite mining project has a long history of resistance. Agricultural land, along with grazing land were acquired from the cluster of 12 adjoining villages in the coastal Ghogha taluka between 1994 and 1997. The locals estimate that villagers here lost anything between 40-100% of their land to the project. "We were paid a standard Rs 40,000 per bigha," Narendra, a local photographer, says.

The money, Narendra says, felt decent in 1994 but for those who had been dependent on this land, the years to come proved very challenging. "Several villagers have now taken a small patch of land in the neighboring villages on lease and are cultivating cotton and groundnut there," Narendra says.

They were dependent on others' land for work.

Bharat Jambucha says things get further complicated for the communities which were historically landless. "Most families belonging to the Dalit or other marginalized populations in the region never owned any land. They were dependent on others' land for work. Once villagers lost their land to the project, the landless were pushed out of the village," he adds. His organization, Prakrutik Kheti Juth, has been at the forefront, fighting for the rights of the villages affected in the lignite mining project.

In 2017, when the mining project finally took off, villagers from across 12 villages protested. The demonstration was disrupted after police used force and beat many protesters. More than 350 of them were booked for rioting.

The villagers, however, did not give up. Protests and hunger strikes have continued from time to time. A few villagers even sent a letter to the President of India threatening that they would commit suicide if the government did not return their land.

"We let them have our land for over 20 years," says Gohil.

Keep up with the world. Break out of the bubble.
Sign up to our expressly international daily newsletter!