Participatory ergonomics may provide the key to enhancing cyber security, particularly against insider threats.
Cyber security operates at a systemic level where users, service providers and commercial or social outlets, such as specific banking, retail, social networks and forums come together in shared and virtual interactions within cyberspace in order to process transactions. A key feature of this virtual interaction is that there are no formal policing agents present and no common law of cyberspace as in the real world. As a result, social norms are easily distorted and exploited creating socio-technical vulnerabilities for security threats.
Perhaps the closest thing to any form of online policing would be moderators of social networks and forums, but these are often volunteers with no formal training and ultimately no legal responsibility for ensuring cyber security. While there are protocols to support secure transactions, especially when people are providing their personal and banking details to retail sites, social media sites are particularly vulnerable to identity theft through the information people might freely and/or unsuspectingly provide to third parties.
Another factor in cyber security is the potential for temporal distortions across cyber media. Historic postings or blogs might propagate future security threats in ways that real world artefacts may not. Threats can emerge rapidly and dynamically in response to immediate situations, while in other circumstances data can lie dormant for long periods of time. It is not always clear what cyber data might prompt specific responses in the future and understanding the ways in which users might draw significance from cyber media is an important part of understanding cyber influence.
From a human factors perspective, traditional interpretations of security pose a number of challenges for cyber security:
Who are the users and where are they located at the time of their interaction?
Who is responsible for cyber security?
How do we identify user needs for cyber security?
What methods and tools might be available/appropriate for eliciting cyber security requirements?
What might characterise suspicious behaviour within the cyber domain?
What is the nature of the subject being observed? Is it a behaviour, a state, an action?
How are social norms and the bases of interaction, such as identity and trust, developed and/or distorted in cyberspace?
Underlying these challenges are fundamental issues of security and user performance in reducing the likelihood of human error in cyber interactions. There is a need for formal methods that allow investigators to analyse and verify the correctness of interactive systems, particularly with regards to human interaction. Linked to this need is the emergence of asymmetric threats from ‘insiders’ that requires a more detailed socio-technological perspective.
Insider threats
While there is no agreed definition for the term ‘insider threat,’ it can include anyone with access to an organisation’s internal processes such as contractors, consultants and other business partners with privileged access. More often the term is used to refer to immediate employees who have a grievance or who have been manipulated to infiltrate specific security measures. However, insider threats can originate from less obvious sources, such as opening an email attachment from an unknown sender, an action that can threaten the integrity of an organisation’s data storage and processes.
Insider threats continue to be a challenge in security research. Recent research provides unequivocal evidence to support the significance of this threat, with insider crimes causing more damage to an organisation than external attacks. Notable cases such as Robert Hanssen, an FBI agent who spied for Russia for 22 years, illustrate the scale of damage an insider cyber attack can have on an organisations and governments. Even with high profile cases such as the Snowden and Wikileaks revelations, the threat of trusted organisational insiders committing cybercrime has received less media and public attention than other cyber threats and there has been little shifting of attitudes despite high-profile campaigns to raise awareness of instances of insiders stealing trade secrets.
A number of myths surround insider threats including:
More attacks come from the inside than from external sources: Recent FBI Crime Surveys have reported more externally-initiated attacks focusing on internal weaknesses, such as phishing emails.
Insider and external attack patterns are similar: Insiders have the advantage of knowing what and where valuable resources are within an organisation and therefore may not conduct traditional hostile reconnaissance activities.
Responding to insider attacks is similar to responding to external attacks: Profiling suspected insiders is proving to be one of the best ways of reverse engineering an insider attack. Profiling suspected external attacks would always be difficult as external networks are beyond the control of the organisation.
Tools to detect external attacks can be effective for monitoring insider threats: Monitoring tools developed for externally initiated attacks are generally based on access and authentication. Such tools are less effective against insiders who already have been granted legitimate access to sensitive data and systems.
Insider incidents are not always reported by organisations due to fear of negative publicity, difficulty in identifying culprits, ignorance of the attacks, or overlooking incidents due to apparent low impact.
User-centred security
Only by considering the issues and understanding the underlying requirements that different users and stakeholders might have, can a more integrated approach to cyber security be developed from a user-centred perspective.
When investigating user needs, a fundamental issue is the correct identification of user requirements for developing successful products and processes that specifically meet user needs and expectations. Along with participatory ergonomics methods, this approach can provide valuable insights into user needs and limitations, with proposed solutions as well as opportunities for user ‘buy in’ at an early stage of the development cycle.
User requirements embody critical elements that end users and stakeholders need and desire from a product or process. Requirements elicitation is characterised by extensive communication activities between a wide range of people from different backgrounds and knowledge areas, including end-users, stakeholders, project owners or champions, mediators (often the role of the human factors experts) and developers. End-users are often experts in their specific work areas and possess deep levels of knowledge gained over time that can be difficult to communicate to others. Users, who possess unique expert knowledge of their domain, will often not realise what aspects of their implicit knowledge are of critical importance to a design team.
In order to capture emergent behaviours, the process of user requirement elicitation needs a framework of understanding potential and plausible behaviours. However, these two factors are not always balanced and solutions might emerge that are not fully exploited or used as intended. Participatory ergonomics approaches seek to incorporate end-users and wider stakeholders within work analysis, design processes and solution generation as their reactions, interactions, optimised use and acceptance of the solutions will ultimately dictate the effectiveness and success of the overall system performance, as well as acceptance of the system.
Behaviour profiling based on applied psychology and behavioural science offer unique insights into normal and anomalous behaviours. Such approaches provide the potential to bring together various human and technical factors in developing practical solutions, thus improving the security of the cyber world in which we all spend significant amounts of our time.
By Alex Stedmon, Siraj Shaikh, Dale Richards, Harsha Kalutarage, John Huddlestone & Ruairidh Davison from the Faculty of Engineering and Computing at Coventry University.
This article first appeared in issue 534 of The Ergonomist, December 2014.