In the new evolving communication landscape, cyber threats do not just target things, objects, or devices. First and foremost, cyberattacks target people and leverage on user’s and programmer’s psychology.
On the one side, users are often the practical means by which an attack hits the mark: cybercriminals leverage on the lack of security knowledge and on the speed at which our society moves to infiltrate a system and to damage both network infrastructures and our everyday environment. Sending fraudulent emails, stealing credentials, uploading malicious attachments to applications are just some of the most common ways of exploiting human interactions with technologies to execute an attack.
On the other side, even before the release of a product, whether hardware or software, the cybersecurity paradigm establishes an adversarial framework: cyber experts and hackers are constantly engaged in a psychological quest that would allow them to be ahead of the adversary. Programmers are constantly faced with the need to think about how the systems they are designing might be hacked to fail in precise ways. Building a secure system implies creating a narrative that holds the security of the system together and that is able to prevent not just specific ways in which the system can be tricked, but rather to make the assumptions that underlie the system secure.
Hence, whether we think of users receiving phishing emails or of programmers working to foresee the possible vulnerabilities of a system beforehand, human psychology and behavior is where security starts. Cybersecurity is not just about hardware, software and networking technicalities; it is mostly about how human beings behave with technology, how they think of it in the process of creation, and how they employ it daily. This makes humans, and especially how human think about security issues, the first and last line of defense, the strongest and weakest link in the security chain.
When it comes to security, the mindset with which we take on the challenge is the milestone to guarantee a secure virtual and social environment. Attention to details and ordinary paranoia are not enough to guarantee security. If ordinary paranoia focus security experts’ attention on how an adversary might attack, a security mindset takes us a step forward, enabling us to go beyond everyday hiccups and to defend against possible pitfalls in the reasoning behind the system. As we build secure software, we need to look at the world differently: as Bruce Schneider often argues, a security mindset takes our attention not just to how things can be made to work, but rather on how things can be made to fail.
It is although undoubtful that the security mindset that should be at the core of security solutions cannot be expected to be a drive for the general public. A different concept takes the lead when it comes to users’ behaviors: namely, security culture. If protocols are a matter of following given rules and instructions, cultural norms affect behavior unconsciously, instinctively, and hence effortlessly. Once a cultural norm becomes part of our everyday way of thinking, it becomes habitual and automatic. In the fast-paced society in which we live, when time for a decision is a scarce commodity, we often act by analogy, forcing new realities into known patterns. The lack of a true understanding of the security issues connected with the use of available technologies, and the ease with which we take security for granted are the two of the main challenges for a solid security culture and represent the main stages at which we get burned.
In a nutshell, if a pursuing security mindset is to practice paranoia and always check and challenge your own assumptions, a security culture is when this is a common habit that underlies the whole range of possible behaviors. Now the question is: how can we develop this culture in a company first, and then in the society at large? When it comes to building a security program, focusing only on technology and processes puts organizations in a weak and unbalanced position: building efficient security solutions starts with people as cyberattacks are more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication. An organization’s security culture requires care and feeding, something we need to persistently invest into, as it fosters change and better security. The first step is to instill the concept that security is not just the business of a specific department in an organization, but rather that security starts with everyone and belongs to everyone. Information about security practices and principles need to flow within the whole structure in an organization, as security awareness is a key enabler of a security culture and a security program is more effective when it is “embedded” in the organization’s culture. From employees to managers to security experts, thinking differently about security is the first step in the creation of a secure environment. If hackers need to be right once to be effective and generate extensive damages, defenders need to be right every time. Security is an ongoing, never ending, never resting process that needs to account for every possible vulnerability in every possible scenario. The matter with security is not what we know, but what we do not know yet. In this framework, thinking differently and acquiring secure habitual behavioral patterns fosters security in far-reaching ways, dramatically reducing the attackable surface and preparing individuals as well as companies to prevent, manage, and remediate even the sharpest attack.