Cyber security: a complex behaviour problem?

Mains Paper 4: Internal Security
Prelims level: Cyber security
Mains level: Challenges to internal security through communication networks, role of media and social networking sites in internal security challenges, basics of cyber security; money-laundering and its prevention

Context

•  The wars of the 21st century will be to capture, manipulate or destroy others’ data. Digital systems powering organizations and nations around the world have become prime targets for attack from individual criminals, well-organized cybercrime gangs, and state-sponsored hackers.
•  Cybersecurity teams that are mostly led by technology experts tend to see the whole problem through their technological lens.
•  They tend to believe that the hacker is looking for technological weaknesses in their software or technology network.
•  They are always focused on trying to correct the technical bugs in their system.

Major highlights observed by cybersecurity experts

•  Various studies and analyses of cyber attacks across the world have shown that in more than 90% of the security breaches.
•  The enabling factor has been the negligent behaviour of users.
•  The spread of a malicious worm that attacked the US Central Command system started with the insertion of an infected USB drive by an individual in a US military laptop. It took the Pentagon more than 14 months to clean things up.
•  Cybersecurity experts understand the complexity involved in detecting the flaws in a security software, rectifying it and developing a secure technological barriers to prevent any attack.
•  Even if we understand how social hacks work, building defences is another matter altogether.
•  Simple tasks, such as getting employees to use strong passwords, changing them frequently, or avoiding the use of unsecured public Wi-Fi, are not as easy as they appear to be.
•  The complexity of the human brain creates several impediments in the initiation and maintenance of these tasks.

Implications on human behavior

•  The human brain will always try to reduce the cognitive load involved in any decision. It is for no other reason that 123456 is the most common password.

•  The human brain loves status quo. So, on being asked to change the password, the user will only want to make a minor change to the existing password.

•  So if the old password is password1, the new password will most probably be password2.

•  Humans have very poor ability to evaluate risk.

•  Various researches have shown that humans evaluate the risk involved in a particular action not based on any elaborate calculation but how one feels about the action one is taking.

•  If one feels positive about the outcome of that decision, they are likely to judge the risk of that action to be low.

•  So for an employee watching a movie after working for long hours, the enjoyment the movie provides far outweighs the risk involved in using an insecure USB drive.

•  The choice between the enjoyment in the immediate moment and a potential risk in future, the human brain will always have a bias for the present.

•  Combined with our brain’s tendency to discount the future, more so risks in future, most employees will have a tendency to underestimate the risk involved in their decisions.

•  Appropriate emotions about risks are generated when a well publicized news about a cyberattack is made available to everyone concerned.

•  As long as the news of the event is available in one’s memory, everyone will get into a cautionary mode and will follow the required security measures.

Way forward

•  However, as the memories of those incidents recede, people get complacent.
•  Very rarely do security experts realize that a complacent mental mode an employee gets into opens up far more opportunities for a cyberattack than even a significant flaw in the software of a security system.
•  The billions of dollars are being spent to take care of the technical requirement of cybersecurity, there is comparatively little investment made to understand and influence the human behaviour around cybersecurity.
•  The sooner we realize that the most powerful technological solutions are no match for a cyberattacker with an excellent understanding of the working of the human brain, the safer our cyber world will be.

Online Coaching for UPSC PRE Exam

General Studies Pre. Cum Mains Study Materials

Prelims Questions:

Q.1) Consider the following about "open source" software.
Assertion (A): The Government of India has proposed a ban on the use of open source software in India for official government purposes.
Reason (R): Open source software is publicly accessible, shareable and modifiable.

In the context of the above, which of these is correct?
a) A is correct, and R is an appropriate explanation of A.
b) A is correct, but R is not an appropriate explanation of A.
c) A is correct, but R is incorrect.
d) A is incorrect, but R is correct

Answer: D

Mains Questions:
Q.1) Contrary to what experts believe, it is human behaviour that is often the weakest link in the online security chain. Critically examine.