Abstract
Perhaps the greatest challenge to cyber security is that people are inherently behind each cyber problem as well as its solution. The reality is that people have been stealing secrets and information and attacking others for thousands of years; the technology of the Internet just allows it to happen at a faster pace and on a larger scale. This chapter describes aspects of human behavior that impact cyber security efforts. Cognitive overload, bias, incentives and behavioral traits all affect the decision making of both those who develop policy and strategy, those who fall victim to cyber attacks, and those who initiate cyber attacks. Although limited research has been completed on the behavioral aspects of cyber security, many behavioral principles and models are applicable to cyber security issues.
TopBackground
The most difficult piece is perhaps that people are inherently behind each cybersecurity problem as well as its solution. People have been attacking others and stealing secrets for thousands of years. And that behavior will continue to be with us for the new digital age. Of concern is that the average level of awareness and security competence of the user base declines as the user population increases (Paganini, 2012).
Cryptographer Bruce Schneier’s statements that: “Only amateurs attack machines; professionals target people. And the professionals are getting better and better.” (Schneier, 2013) seem to be confirmed by research findings that 75% of network intrusions exploit weak or stolen credentials, 80% of data breaches reported by the U.S. government over a three-year period were caused by human error and device theft, and mishandled data causes 10 times more breaches than external attacks. Socially engineered cyber attacks prey on human traits such as fear, learned behavior, expectations, and greed. Even as the strength of firewalls and protective software grows, the shortest path into a network is most likely through human behavioral weakness.
Key Terms in this Chapter
Bias: Prejudice in favor or against.
Spear Phishing: An email spoofing fraud attempt to gain unauthorized access to confidential data.
Instance Based Learning: Includes five learning mechanisms in the context of a decision making process: instance-based knowledge, recognition-based retrieval, adaptive strategies, necessity-based choice, and feedback updates.
Cognitive Load: The amount of stress placed on working memory (i.e. the mental processing power required).
Mental Model: Explanation of a person’s thought process about how something works.
Situation Awareness: A person’s perception of environmental elements with respect to time and/or space, comprehension of their meaning and projection of their status after some variable has changed.