Cyber security: a complex behaviour
Mains Paper 4: Internal Security
Prelims level: Cyber security
Mains level: Challenges to internal security through communication networks,
role of media and social networking sites in internal security challenges,
basics of cyber security; money-laundering and its prevention
- The wars of the 21st century will be to capture, manipulate or
destroy others’ data. Digital systems powering organizations and nations
around the world have become prime targets for attack from individual
criminals, well-organized cybercrime gangs, and state-sponsored hackers.
- Cybersecurity teams that are mostly led by technology experts tend
to see the whole problem through their technological lens.
- They tend to believe that the hacker is looking for technological
weaknesses in their software or technology network.
- They are always focused on trying to correct the technical bugs in
Major highlights observed by cybersecurity experts
- Various studies and analyses of cyber attacks across the world
have shown that in more than 90% of the security breaches.
- The enabling factor has been the negligent behaviour of users.
- The spread of a malicious worm that attacked the US Central
Command system started with the insertion of an infected USB drive by an
individual in a US military laptop. It took the Pentagon more than 14 months
to clean things up.
- Cybersecurity experts understand the complexity involved in
detecting the flaws in a security software, rectifying it and developing a
secure technological barriers to prevent any attack.
- Even if we understand how social hacks work, building defences is
another matter altogether.
- Simple tasks, such as getting employees to use strong passwords,
changing them frequently, or avoiding the use of unsecured public Wi-Fi, are
not as easy as they appear to be.
- The complexity of the human brain creates several impediments in
the initiation and maintenance of these tasks.
Implications on human behavior
The human brain will always try to reduce the
cognitive load involved in any decision. It is for no other reason that
123456 is the most common password.
The human brain loves status quo. So, on being asked
to change the password, the user will only want to make a minor change to
the existing password.
So if the old password is password1, the new password
will most probably be password2.
Humans have very poor ability to evaluate risk.
Various researches have shown that humans evaluate the
risk involved in a particular action not based on any elaborate calculation
but how one feels about the action one is taking.
If one feels positive about the outcome of that
decision, they are likely to judge the risk of that action to be low.
So for an employee watching a movie after working for
long hours, the enjoyment the movie provides far outweighs the risk involved
in using an insecure USB drive.
The choice between the enjoyment in the immediate
moment and a potential risk in future, the human brain will always have a
bias for the present.
Combined with our brain’s tendency to discount the
future, more so risks in future, most employees will have a tendency to
underestimate the risk involved in their decisions.
Appropriate emotions about risks are generated when a
well publicized news about a cyberattack is made available to everyone
As long as the news of the event is available in one’s
memory, everyone will get into a cautionary mode and will follow the
required security measures.
- However, as the memories of those incidents recede, people get
- Very rarely do security experts realize that a complacent mental
mode an employee gets into opens up far more opportunities for a cyberattack
than even a significant flaw in the software of a security system.
- The billions of dollars are being spent to take care of the
technical requirement of cybersecurity, there is comparatively little
investment made to understand and influence the human behaviour around
- The sooner we realize that the most powerful technological
solutions are no match for a cyberattacker with an excellent understanding
of the working of the human brain, the safer our cyber world will be.
Q.1) Consider the following about "open source" software.
Assertion (A): The Government of India has proposed a ban on the use of open
source software in India for official government purposes.
Reason (R): Open source software is publicly accessible, shareable and
In the context of the above, which of these is correct?
a) A is correct, and R is an appropriate explanation of A.
b) A is correct, but R is not an appropriate explanation of A.
c) A is correct, but R is incorrect.
d) A is incorrect, but R is correct
Q.1) Contrary to what experts believe, it is human behaviour that is
often the weakest link in the online security chain. Critically examine.