Despite huge advances in cybersecurity, one weakness continues to overshadow all others: human error.
Research has consistently shown human error is responsible for an overwhelming majority of successful cyber attacks. A recent report puts the figure at 68%.
No matter how advanced our technological defences become, the human element is likely to remain the weakest link in the cybersecurity chain. This weakness affects everyone using digital devices, yet traditional cyber education and awareness programs – and even new, forward-looking laws – fail to adequately address it.
So, how can we deal with human-centric cybersecurity-related challenges?
Understanding human error
There are two types of human error in the context of cybersecurity.
The first is skills-based errors. These occur when people are doing routine things – especially when their attention is diverted.
For example, you might forget to back up desktop data from your computer. You know you should do it and know how to do it (because you have done it before). But because you need to get home early, forgot when you did it last or had lots of emails to respond to, you don’t. This may expose you to a hacker’s demands in the event of a cyber attack, as there are no alternatives to retrieve the original data.
The second type is knowledge-based errors. These occur when someone with less experience makes cybersecurity mistakes because they lack important knowledge or don’t follow specific rules.
For example, you might click on a link in an email from an unknown contact, even if you don’t know what will happen. This could lead to you being hacked and losing your money and data, as the link might contain dangerous malware.
Traditional approaches fall short
Organisations and governments have invested heavily in cybersecurity education programs to address human error. However, these programs have had mixed results at best.
This is partly because many programs take a technology-centric, one-size-fits-all approach. They often focus on specific technical aspects, such as improving password hygiene or implementing multi-factor authentication. Yet, they don’t address the underlying psychological and behavioural issues that influence people’s actions.
The reality is that changing human behaviour is far more complex than simply providing information or mandating certain practices. This is especially true in the context of cybersecurity.
Public health campaigns such as the “Slip, Slop, Slap” sun safety initiative in Australia and New Zealand illustrate what works.
Since this campaign started four decades ago, melanoma cases in both countries have fallen significantly. Behavioural change requires ongoing investment into promoting awareness.
The same principle applies to cybersecurity education. Just because people know best practices doesn’t mean they will consistently apply them – especially when faced with competing priorities or time pressures.
New laws fall short
The Australian government’s proposed cybersecurity law focuses on several key areas, including:
- combating ransomware attacks
- enhancing information sharing between businesses and government agencies
- strengthening data protection in critical infrastructure sectors, such as energy, transport and communications
- expanding investigative powers for cyber incidents
- introducing minimum security standards for smart devices.
These measures are crucial. However, like traditional cybersecurity education programs, they primarily address technical and procedural aspects of cybersecurity.
Read More: A team analysed the entire web and found a cybersecurity threat lurking in plain sight
The United States is taking a different approach. Its Federal Cybersecurity Research and Development Strategic Plan includes “human-centred cybersecurity” as its first and most important priority.
The plan says
A greater emphasis is needed on human-centered approaches to cybersecurity where people’s needs, motivations, behaviours, and abilities are at the forefront of determining the design, operation, and security of information technology systems.
3 rules for Human-centric cyber security
So, how can we adequately address the issue of human error in cybersecurity? Here are three key strategies based on the latest research.
- Minimise cognitive load. Cybersecurity practices should be designed to be as intuitive and effortless as possible. Training programs should focus on simplifying complex concepts and integrating security practices seamlessly into daily workflows.
- Foster a positive cybersecurity attitude. Instead of relying on fear tactics, education should emphasise the positive outcomes of good cybersecurity practices. This approach can help motivate people to improve their cybersecurity behaviours.
- Adopt a long-term perspective. Changing attitudes and behaviours is not a single event but a continuous process. Cybersecurity education should be ongoing, with regular updates to address evolving threats.
Ultimately, creating a truly secure digital environment requires a holistic approach. It needs to combine robust technology, sound policies, and, most importantly, ensure people are well-educated and security-conscious.
If we can better understand what’s behind human error, we can design more effective training programs and security practices that work with, rather than against, human nature.
- is a Senior Research Fellow in the School of Computing and Information System, The University of Melbourne
- This article first appeared in The Conversation