I frequently talk about and lecture on understanding the importance of people in cybersecurity. I motivate security awareness training and explain how to correctly implement it. I’m usually quite clear on the facts: 70-90% of all incidents include human action making people the most frequently used attack vector, and we can only empower people by working with them, not against them. I’m also clear on people not being the weakest link.
However, I far too often read or listen to someone saying, ‘humans are the weakest link and the biggest problem in cybersecurity’. As much as I would have talked about not blaming users and working with people, this misconception and falsehood just does not go away.
Enough reason for me to sit down and write this post. There are several ways to highlight why a human-as-the-weakest-link perspective is problematic. Read below.
Humans are not failing technology. Technology is failing humans.
Insecure work practices and low security motivation among users can be caused by security mechanisms and policies that take no account of users’ work practices, organizational strategies, and usability. These factors are pivotal in the design and implementation of most computer systems today. Designers of security mechanisms must realize that they are the key to successful security system. Unless security departments understand how the mechanisms they design are used in practice, there will remain the danger that mechanisms that look secure on paper will fail in practice. – Adams and Sasse (2005)
What Professors Adams and Sasse said in 2005 is still true in 2024, and it looks like that will not change any time soon. Not unless we all in the cybersecurity industry do a much better job at appreciating that humans are the most important part in all that we do. Without humans, there is no value creation, there is no customer, there is no business. A human-centered approach to security and technology design is the only viable path.
We must take into account users’ work practices (the way things are done), organizational strategies, and the usability of products. The experience of security matters, because that might be the difference between people following a secure process or behaving insecurely. If it is too difficult or the motivation is not high enough, we cannot expect people to behave securely. That’s in essence what BJ Fogg is telling us.
Why do we blame people but never the technology?
Yes, we are trusting by nature. We are creatures of habit. We are often too busy to pay attention, and we can be emotional creatures. And, yes, we are the most targeted attack vector, but only because technology and processes often fail us. There is often a lack of usability and simplicity. Training can only go so far if the design is not right.
It would be super easy to blame technology. Technology does not feel bad. Technology will continue the way it did before you blamed it.
Why do we blame users? I mean that just seems unfair. If we blame users, then we must also blame technology that might be unreliable, not robust, and insecure.
Also if one clicks on a link is all it takes to take an entire business down, what does that tell us about the quality of that business’s defenses? They probably were just not good enough. It would be entirely misguided to point the finger at any individual.
Logically, I really struggle to follow the idea of human as the weakest link. Allow me to illustrate my train of thought.
- The premise: human is the weakest link in cybersecurity.
- The evidence: human thinking and behavior is non-deterministic and not free of flaws.
- More evidence: Human has created technology.
- Inference #1: Technology behaves non-deterministic and is not free of flaws.
We know that this inference is true. When hardware and software get tampered with then the outcome of a given input cannot be predicted. Why do we have higher expectations for Human than for Technology? That does not make sense.
- Inference #2: If Human was perfect, then Human would create perfect Technology. If Technology was perfect then Human need not be perfect.
- Inference #3: Therefore, when Human is perfect Technology is perfect. And also, if Technology is not perfect we must not assume that Human be perfect.
As neither is the case, we must not have any such expectation of perfectness for either.
It’s People, Process, and Technology. Never just People.
If I haven’t convinced you with that almost philosophical argument, allow me to try again. This time with a very practical perspective.
- Observation: humans are the most targeted attack vector.
- Wrong conclusion: humans are the weakest link.
- Right conclusion: cyber criminals targeting humans is the biggest risk my organization faces.
Wrong conclusions are slippery slopes. If humans are the weakest link, then we must eliminate them from the equation. We must invest everything in technical defense measures. These are created by humans, and just as humans are, technological measures are fallible.
You would be much better off to realize that if humans are your weakest link, then your risk management is flawed. Your risk assessment and likely your mitigation strategy needs adjusting. Your assessment must be that humans are the most targeted attack vector, i.e., social engineering and phishing are among the most common attacks.
Your mitigation must involve measures that target people, processes, and technology. The three pillars of cybersecurity that you must consider when aiming to reduce risk. You must train people, deploy technological defense measures, and embed desired, secure behaviors in processes that you define and communicate.
There really shouldn’t be a ‘human’ element in your defense chain. That’s why I strongly dislike any talk about the human element being the weakest link. Each element of your defense chain always is a combination of people, processes, and technology.
It is a matter of perspective to realize that technology cannot exist without people and process as much as people cannot work without technology and process or a process does not make sense without people and technology. The three elements are interdependent and treating them in isolation is a mistake.