As more of the tasks and actions that make up our everyday lives move into the digital space, sophisticated computer networks and information systems drive our world, enabling better and simpler access to everything from critical infrastructure and national security to online shopping and education.
The free and open internet has supported immense growth in economies worldwide and facilitated unprecedented information flow from the largest cities to the most remote (and previously unreachable) places on Earth. But as they become increasingly indispensable, the digital systems powering our world also become prime targets for attack from groups and individuals spanning from well-organized cyber-crime gangs to state-supported hackers.
With internet access rapidly expanding across the globe, and the proliferation of greater connectedness across business, finance, and individuals, ensuring privacy and security of this activity will only become more paramount.
This reality makes cybersecurity – the technologies, processes and best practices that protect networks, individual computers, programs and all digital data from attack — one of the critical problems of our time.
Despite public and private sector investments in sophisticated security systems, the level of risk continues to rise on par with innovations. Developing impenetrable security forces online in the face of ever-advancing modes of attack, exemplified by the myriad of well-publicized, increasingly sophisticated data breaches affecting multinational corporations, organizations and governments, is the great arms race of the 21st century.
As security professionals, companies and academics look for answers, efforts have been heavily skewed toward finding technological solutions. Yet, experts estimate that between 70-80% of the cost attributed to cyber-attacks is actually a result of human error. Things as simple as clicking on a bad link, opening the wrong email attachment, or using an insecure USB drive can be devastating to network security. The strongest security network in the world is only as good as the human with the password.
Human error is not limited to end users. Computer engineers may develop code in ways that compromise the security of their software, IT administrators may not set up security systems properly, and CEOs may make the wrong investment decisions when it comes to security infrastructure. The challenges around understanding and addressing human behavioral factors in cybersecurity present a rich vein of opportunity for making the system as a whole more robust.
With support from the William and Flora Hewlett Foundation Cyber Initiative, and in partnership with New America’s Cybersecurity Initiative, we applied the lens of behavioral science to better understand these human factor challenges. We worked with a broad network of experts, leveraging their knowledge and experience to identify clear behavioral issues that are relevant to everyday people as well as computer engineers, IT teams, and organizations. The results of this work can be read in our novella: Deep Thought: A Cybersecurity Story.