Abstract
Chapter 7 uses a philosophical approach to discuss the frailty of the human psyche with regards to the implementation and use of systems through our engagement with cyberspace. Our constant exposure to newsworthy cyber security events can desensitize people to the warnings that are either apparent or subliminal. A number of key topical subject areas are discussed exploring human psychology: why people are susceptible to psychological vulnerabilities, characteristics of the human psyche that facilitate errors, how these traits can be exhibited through flawed actions causing mistakes and preventative measures to stop deliberate and accidental actions. This analysis is of vital importance and relevance in order to combat the risks, which to the computer end-user may appear distant and intangible.
TopBackground
In recent years, the Press has reported on users being the major contributory factor in organizational data breaches. The contagion of phishing and spear phishing campaigns from outsiders have fueled this. Insider password re-use that are both exploitable by hackers and state actors alike have also caused data breaches. Users and executives are arguably targets as they are the most exposed within organizations who have access to the Internet on a daily basis and potentially the most naïve or ignorant. Thus, they are targeted like low hanging fruit by the attackers. The employee does not need to be using a higher privilege level for an attack to be a success. Instead, all it needs is an exploitable weakness in unpatched software for an attacker to escalate privileges in a compromised user account (Winkler, 2015). When it comes to taking shortcuts, employees may circumvent technical controls because they are just trying to be more efficient and harbor no malicious intent (Wyatt, 2017).
Key Terms in this Chapter
Security by Obscurity: A term synonymous to when mechanism(s) like an obscure proprietary protocol is used in place of a cyber security control, such as end-to-end encryption.
Secure-by-Design: A concept in which information and cyber security principles are considered from the outset of system design and feature through system implementation into operations.
Desire Lines: A scenario in which people deviate from the established path to take a shortcut that is more desirable and potentially expedient.
Vernam Scheme: Developed for teleprinters used Modulo-2 addition to add together obscured characters with the associated plaintext character, which then generated the ciphertext character-by-character in an automated manner.
Senses: Sight, touch, hearing, smell, and taste are all facets that enable people to process, assess and perform actions from interpretation.
Defense-in-Depth: The process of architecting computer systems by laying various different types of controls from the outer-boundary to the core.