Participatory ergonomics may provide the key to enhancing cyber security, particularly against insider threats.
Cyber
security operates at a systemic level where users, service providers
and commercial or social outlets, such as specific banking, retail,
social networks and forums come together in shared and virtual
interactions within cyberspace in order to process transactions. A key
feature of this virtual interaction is that there are no formal policing
agents present and no common law of cyberspace as in the real world. As
a result, social norms are easily distorted and exploited creating
socio-technical vulnerabilities for security threats.
Perhaps the
closest thing to any form of online policing would be moderators of
social networks and forums, but these are often volunteers with no
formal training and ultimately no legal responsibility for ensuring
cyber security. While there are protocols to support secure
transactions, especially when people are providing their personal and
banking details to retail sites, social media sites are particularly
vulnerable to identity theft through the information people might freely
and/or unsuspectingly provide to third parties.
Another factor in
cyber security is the potential for temporal distortions across cyber
media. Historic postings or blogs might propagate future security
threats in ways that real world artefacts may not. Threats can emerge
rapidly and dynamically in response to immediate situations, while in
other circumstances data can lie dormant for long periods of time. It is
not always clear what cyber data might prompt specific responses in the
future and understanding the ways in which users might draw
significance from cyber media is an important part of understanding
cyber influence.
From a human factors perspective, traditional interpretations of security pose a number of challenges for cyber security:
Who are the users and where are they located at the time of their interaction?
Who is responsible for cyber security?
How do we identify user needs for cyber security?
What methods and tools might be available/appropriate for eliciting cyber security requirements?
What might characterise suspicious behaviour within the cyber domain?
What is the nature of the subject being observed? Is it a behaviour, a state, an action?
How are social norms and the bases of interaction, such as identity and trust, developed and/or distorted in cyberspace?
Underlying
these challenges are fundamental issues of security and user
performance in reducing the likelihood of human error in cyber
interactions. There is a need for formal methods that allow
investigators to analyse and verify the correctness of interactive
systems, particularly with regards to human interaction. Linked to this
need is the emergence of asymmetric threats from ‘insiders’ that
requires a more detailed socio-technological perspective.
Insider threats
While
there is no agreed definition for the term ‘insider threat,’ it can
include anyone with access to an organisation’s internal processes such
as contractors, consultants and other business partners with privileged
access. More often the term is used to refer to immediate employees who
have a grievance or who have been manipulated to infiltrate specific
security measures. However, insider threats can originate from less
obvious sources, such as opening an email attachment from an unknown
sender, an action that can threaten the integrity of an organisation’s
data storage and processes.
Insider threats continue to be a
challenge in security research. Recent research provides unequivocal
evidence to support the significance of this threat, with insider crimes
causing more damage to an organisation than external attacks. Notable
cases such as Robert Hanssen,
an FBI agent who spied for Russia for 22 years, illustrate the scale of
damage an insider cyber attack can have on an organisations and
governments. Even with high profile cases such as the Snowden and
Wikileaks revelations, the threat of trusted organisational insiders
committing cybercrime has received less media and public attention than
other cyber threats and there has been little shifting of attitudes
despite high-profile campaigns to raise awareness of instances of
insiders stealing trade secrets.
A number of myths surround insider threats including:
More attacks come from the inside than from external sources:
Recent FBI Crime Surveys have reported more externally-initiated
attacks focusing on internal weaknesses, such as phishing emails.
Insider and external attack patterns are similar:
Insiders have the advantage of knowing what and where valuable
resources are within an organisation and therefore may not conduct
traditional hostile reconnaissance activities.
Responding to insider attacks is similar to responding to external attacks: Profiling
suspected insiders is proving to be one of the best ways of reverse
engineering an insider attack. Profiling suspected external attacks
would always be difficult as external networks are beyond the control of
the organisation.
Tools to detect external attacks can be effective for monitoring insider threats: Monitoring
tools developed for externally initiated attacks are generally based on
access and authentication. Such tools are less effective against
insiders who already have been granted legitimate access to sensitive
data and systems.
Insider incidents are not always reported by
organisations due to fear of negative publicity, difficulty in
identifying culprits, ignorance of the attacks, or overlooking incidents
due to apparent low impact.
User-centred security
Only
by considering the issues and understanding the underlying requirements
that different users and stakeholders might have, can a more integrated
approach to cyber security be developed from a user-centred
perspective.
When investigating user needs, a fundamental issue is
the correct identification of user requirements for developing
successful products and processes that specifically meet user needs and
expectations. Along with participatory ergonomics methods, this approach
can provide valuable insights into user needs and limitations, with
proposed solutions as well as opportunities for user ‘buy in’ at an
early stage of the development cycle.
User requirements embody
critical elements that end users and stakeholders need and desire from a
product or process. Requirements elicitation is characterised by
extensive communication activities between a wide range of people from
different backgrounds and knowledge areas, including end-users,
stakeholders, project owners or champions, mediators (often the role of
the human factors experts) and developers. End-users are often experts
in their specific work areas and possess deep levels of knowledge gained
over time that can be difficult to communicate to others. Users, who
possess unique expert knowledge of their domain, will often not realise
what aspects of their implicit knowledge are of critical importance to a
design team.
In order to capture emergent behaviours, the process
of user requirement elicitation needs a framework of understanding
potential and plausible behaviours. However, these two factors are not
always balanced and solutions might emerge that are not fully exploited
or used as intended. Participatory ergonomics approaches seek to
incorporate end-users and wider stakeholders within work analysis,
design processes and solution generation as their reactions,
interactions, optimised use and acceptance of the solutions will
ultimately dictate the effectiveness and success of the overall system
performance, as well as acceptance of the system.
Behaviour
profiling based on applied psychology and behavioural science offer
unique insights into normal and anomalous behaviours. Such approaches
provide the potential to bring together various human and technical
factors in developing practical solutions, thus improving the security
of the cyber world in which we all spend significant amounts of our
time.
By Alex Stedmon, Siraj Shaikh, Dale Richards, Harsha Kalutarage, John Huddlestone & Ruairidh Davison from the Faculty of Engineering and Computing at Coventry University.
This article first appeared in issue 534 of The Ergonomist, December 2014.
Back