Human Element in Cybersecurity
Impact of Human Behavior on Password Security Policies
While lapses and errors in judgment could be considered an essential part of the human natural life experience to learn and grow, it could be extremely destructive and considerably costly when it concerns cybersecurity breaches. According to the 2022 Data Breach Investigation Report (DBIR), the human element was responsible for 82% of the data breaches in the form of social engineering, misuse, and errors. A study by IBM indicates that the average cost of these incidents is $9.44 million per data breach in the United States, $5.09 million more expensive than the global average. The same DBIR 2022 has concluded that close to 50% of the breaches weren’t caused by human error or misuse, but hackers used genuine weak credentials implemented by users.
In this paper, I will illustrate the importance of the human element in cybersecurity and dive deeper into the problem of human behavior and resistance to password security policies.
Although data breaches are considered a technological problem, it is well documented, as mentioned earlier, that the human element is responsible for most of them. The human factor is accountable largely for the absence of awareness, negligence, or error in configuration and access control (Conkle, 2020). Why the major stakeholders in cyberspace cannot manage and eliminate this problem is a legitimate question, and answering this question requires finding answers to some more fundamental questions, such as:
What is the concept of the human element in cybersecurity?
Why is the human element important in cybersecurity?
Why is human behavior the main problem with a robust password implementation?
For investigating human behavior in interaction with security, it would be beneficial to start at a deeper level, understand the roots and causes of such behavior, and start building the case from the ground up. The concept of security in the human mind translates into two different forms or structures: rational and emotional (Schneier, 2022).
The form of rational is more quantifiable and measurable in security. Identifying vulnerabilities in the system or weaknesses in the security posture and employing countermeasures takes place in this category. Risk assessments and utilizing security measures based on such assessments are common security practices in the industries like insurance companies or security service providers.
The emotional form of human response to the concept of security relies on psychological reactions to risks and suggested countermeasures (Schneier, 2022). This form of response to security could differ from person to person based on their personality, life experience, occupation, etc. Still, there are some similarities or common perceptions and reactions, such as frustration, fear, or humiliation during security screening at airports (Maliwat, 2018).
The human response to security consists of liking it rationally and disliking it emotionally, at least when it makes human life inconvenient. Security, by nature, is an inconvenience (Vacca, 2017) in our personal and social life, especially in cyberspace and the modern human digital lifestyle. The Internet has changed humans and their communities by improving communication, creating virtual communities, marketplaces, infinite information libraries, flexible workplaces, e-governments, and virtual social lives. All these advantages of the internet have fostered more convenience in modern societies, and members of these societies have developed a new habit of accessing more and more services online from the comfort of their homes with a few clicks on their devices. Convenience has become a habit for modern humans, and humans are creatures of habit (Dewey, 2022).
Up to this point, I assume this paper has established that:
Digital lifestyle era has fostered unprecedented convenience for humans
Humans have made a habit of benefiting from this convenience
Security measures are an inconvenience by nature
Humans believe in the necessity of security, rationally
Humans generally dislike the inconvenience of applying security measures in their digital or natural lifestyles
In returning to the questions of this essay, let’s start with the following: What is the concept of the human element in cybersecurity? The human element in cybersecurity refers to the role and responsibility of people (victims or employees of a victimized organization) in a security incident, either as an unintentional error or as an intentional act of internal threats.
The human factor is the weakest link in the security chain because of naivety or ignorance (Mitnick, 2002), and it has been responsible for most data breaches. This paper’s first question was: Why don’t the major stakeholders in cyberspace manage and eliminate this problem? Because humans are not software to easily update or delete, we need to find a way to work with them. Humans are important in cyberspace because they design, create, and work with cyber technology. Any mistake by them would impact our cyberspace. Therefore, it is imperative to find a solution to minimize the risks of the human factor and maximize the security advantage to create optimal cyberspace.
The first step in resolving a problem is understanding it, and examining the security incidents reveals that the human element has been exploited by social engineering. Social engineering refers to a wide range of preplanned and malicious practices by interacting with victims to manipulate them into a security breach (Mitnick, 2002). Social engineering attacks would be performed in many different forms, and some of the most common and important of them are as follow:
Phishing (Vishing, Smishing, Spear Phishing, Whaling) – a fraudulent activity in the form of emails, phone calls, or text messages in which the attacker pretends to be a reliable persona and induces individuals to disclose sensitive information. When phishing targets a specific individual or organization, the practice is called Spear Phishing, and if individuals from senior levels and executives are targeted, it is called Whaling.
Pretexting – often conducted over voice calls (Vishing) and uses a scenario to create a false sense of trust in the target.
Baiting – scamming by offering a false promise to attract the victims into the trap.
Tailgating or Piggybacking – gaining unauthorized physical access to a presumably secure area by following an employee through the security gate, which requires authentication and authorization.
As it has been demonstrated, social engineering will be used in security incidents other than unintended errors in design, configuration, applications, or acting as internal or insider threats. While the human element and its role in security incidents, in general, has been examined within the last few pages, it would be appropriate to redirect the attention to the main question of this paper: "Why is human behavior the main problem with a robust password implementation?”
A survey conducted by Google in partnership with Harris Poll on online security (Google, 2019) revealed that 65% of Americans still resist choosing and maintaining new passwords. Reusing old passwords is common practice within this group of individuals.
Another password statistic demonstrates that 24% of Americas utilize very simple passwords such as “password” or “123456”. Humans’ resistance against password security still persists, while compromised credentials are responsible for 61% of security breaches (Krstic, 2022). Such staggering statistics suggest that these phenomena arise because either those individuals are unaware of the importance of password security or they elect to ignore the security requirements and policies. A survey by “LastPass” shows indicates that 82% of respondents to the survey understood that the combination of letters, numbers, and symbols creates a more secure password but still, 47% of them ignored this measure and continued using friend or family names as password (Tryfonas, 2017), but why? The findings of a study indicated that the inclination to create easily rememberable passwords is a human compromise between security and convenience (Nicholson, 2016), which arguably is not much of security anymore.
Many Americans fail to adhere to cybersecurity best practices in general and password security in particular because:
They are not convenient to commit
There are too many online accounts for each user, and each requires setting up credentials to access them
Memorizing multiple unique and complex passwords, if not impossible, is very challenging and also requires further efforts and resources to reset them if those passwords forgotten
Individuals tend to resist changes in their habits unless forced to. This is a basic human characteristic (Organisational Behaviour, 2013).
A study conducted by Virginia Tech University, Division of Information Technology, showed that a significant number of users resisted changing their passwords even when it was mandatory. Out of 488 respondents in the study, only 63 users complied with the new password policy at the early stage of the transformation, and most of them waited until the last days of the deadline period. Almost 20% refused to change their password and only complied after denying their access to the systems (Hyman, 2011).
Demonstration of such “passive resistance” (Hyman, 2011) has been recorded in implementing several new security policies and protocols in organizational structures.
Mitigation of human element in cyberspace could be achieved by utilizing comprehensive security methodologies and employing best security practices. Adopting the following policies would be recommended in organizations:
Cybersecurity awareness programs and creating an effective security culture within the organization
Implementing specific security Policies and protocols
Employing relevant frameworks
Security Automation technology
Utilizing password management tools
Security awareness programs are the key to minimizing the vulnerabilities due to the human factor in an organization. If it is artfully crafted with enough input and help from physiology professionals and with a message matters mentality, it could ensure improvement in overall security posture in general and password security in particular when it is combined with the technical and security measures, which will be outlined later in this paper. Such security awareness programs will be crucial in building an effective security culture in the organization and propagating a meaningful principle that all employees are security team members. Sharing security values will increase the efficiency of technical defense systems, clients’ confidence and trust in the organization, and ensures compliance with laws and regulations. According to a survey, the ROI (Return On Investment) for investing in such security training and awareness programs in small and midsize corporations has been reported as high as 69% (Osterman Research, 2019).
Implementing specific security Policies and protocols would be another effective measure to mitigate vulnerabilities. Adopting minimum length requirements for passwords and imposing password history restrictions that prevent users from reusing specific numbers of previous passwords. Other protocols, such as requiring frequent password changes based on preset limit age of passwords, applying complexity factor to passwords, and password encryptions, are considered beneficial.
While there are multiple frameworks to implement in cybersecurity, password security has been part of all those frameworks. It has been mentioned as guidelines, requirements, and best practices, not an independent framework. Frameworks such as NIST CSF have extensively addressed password security as “NIST CFS password guidelines” or the European comprehensive cybersecurity framework known as GDPR (General Data Protection Regulation).
Security automation is an effective security tool in cybersecurity by providing a more harmonized and well-orchestrated security posture and minimizing human error in threat detection and prevention mechanism within the system. This capability of automation would be advantageous in password security by utilizing password management, administrative tasks like user provisioning, and identity management.
Utilizing password management tools is the ultimate solution for personal password security and organizational password policies. Personal password management applications would help individuals to overcome the problem of managing too many complex passwords for too many online accounts, and commercial or industrial versions of such tools would be tremendously beneficial for any organization.
Humans are the weakest security link and are responsible for most data breaches. While adopting a digital lifestyle due to revolutionary progress in communication technology and benefiting from the internet have created a habit of convenient online societies, the tendency to avoid security measures because of inconvenience has introduced the “human element” as a security vulnerability within cyberspace due to naivety and ignorance.
Other than inadequacies in following the security protocols, the human element is responsible for inheritance errors and vulnerabilities by designing, developing, and applying the technological tasks and tools by nature. Unintentional misconfiguration is another vulnerability the human element could introduce to the systems.
While multiple studies have indicated that humans tend to resist against changes in security behavior, security management could employ effective methodologies in creating security training and awareness programs which promote a proactive security culture and the literature of sharing security as “everyone is a member of security team” and improve security maturity in the organization. This approach not only helps with the overall security of cyberspace but also will be crucially beneficial for password security as a subject of the deeper focus of this paper.
In addition to educational and security awareness programs, other steps must be taken to ensure more effective password security implementation. Steps such as adopting minimum length requirements for passwords, enforcing password history restrictions, requiring frequent password changes, introducing password age in the system, applying complexity factor to passwords, and password encryptions, are also considered beneficial.
Schneier, B. (n.d.). The psychology of security. Schneier.com. Retrieved December 18, 2022, from https://www.schneier.com/wp-content/uploads/2015/08/paper-psychology-of-security.pdf
Maliwat, J. D. (2018). Five typical emotional reactions to airport security screening: A case study. Psychology Research (Libertyville, Ill.), 8(12). https://doi.org/10.17265/2159-5542/2018.12.003
Dewey, J. (2022). Human nature and conduct: An introduction to social psychology. Legare Street Press.
Vacca, J. R. (2017). Computer and Information Security Handbook. Morgan Kaufmann.
Mitnick, K. D., & Simon, W. L. (2002). The art of deception: Controlling the human element of security. John Wiley & Sons.
Google Inc, Harris Poll. (February 2019). Online Security Survey about Online Security. https://services.google.com/fh/files/blogs/google_security_infographic.pdf
Krstic, B. (n.d.). Impressive password statistics to know in 2022. WebTribunal. Retrieved December 18, 2022, from https://webtribunal.net/blog/password-stats/
Tryfonas, T. (Ed.). (2017). Human aspects of information security, privacy and trust: 5Th international conference, HAS 2017, held as part of HCI international 2017, Vancouver, BC, Canada, July 9-14, 2017, proceedings (1st ed.). Springer International Publishing.
More-secure passphrases replaced passwords. (January 2018). It.vt.edu. https://it.vt.edu/resources/publications/spotlight/passwordcomplexity.html
Hyman, P. (2011, November 15). Study reveals resistance to strong password security. Acm.org. https://cacm.acm.org/news/141643-study-reveals-resistance-to-strong-password-security/fulltext?mobile=false
Nicholson, D., Muse, K., & Reynolds, J. L. (Eds.). (2016). Advances in human factors in cybersecurity: Proceedings of the AHFE 2016 international conference on human factors in cybersecurity, July 27-31, 2016, Walt Disney world (R), Florida, USA (1st ed.). Springer International Publishing.
Organisational Behaviour. N.p.: Social work department, PSGCAS, 2013.
Osterman Research. (2019, August 19). The ROI of security awareness training – white paper. Osterman Research. https://ostermanresearch.com/2019/08/19/orwp_0313/
Password policy best practices for strong security in AD. (n.d.). Netwrix. Retrieved December 18, 2022, from https://www.netwrix.com/password_best_practice.html
Benefits of security automation. (2022, November 16). Aeologic Blog; AeoLogic Technologies. https://www.aeologic.com/blog/benefits-of-security-automation/
Taal, Amie, ed. 2021. The GDPR Challenge the GDPR Challenge: Privacy, Technology, and Compliance in an Age of Accelerating Change. London, England: CRC Press.
Vasileiou, Ismini, and Steven Furnell, eds. 2019. Cybersecurity Education for Awareness and Compliance. Hershey, PA: IGI Global.
Kudrati, Abbas, and Binil A. Pillai. 2022. Zero Trust Journey across the Digital Estate. London, England: Taylor & Francis.
Chapple, Mike, and David Seidl. 2021. Cyberwarfare: Information Operations in a Connected World. 2nd ed. Sudbury, MA: Jones and Bartlett.
Duffy, Vincent G., and Nancy Lightner, eds. 2016. Advances in Human Factors and Ergonomics in Healthcare: Proceedings of the AHFE 2016 International Conference on Human Factors and Ergonomics in Healthcare, July 27-31, 2016, Walt Disney World (R), Florida, USA. 1st ed. Cham, Switzerland: Springer International Publishing.
Conkle, Tim. 2020. “The Human Element of Cybersecurity.” Forbes. January 24, 2020. https://www.forbes.com/sites/forbestechcouncil/2020/01/24/the-human-element-of-cybersecurity/?sh=78bff8823293.
Pilar, Denise Ranghetti, Antonio Jaeger, Carlos F. A. Gomes, and Lilian Milnitsky Stein. 2012. “Passwords Usage and Human Memory Limitations: A Survey across Age and Educational Background.” PloS One 7, no. 12: e51067. https://doi.org/10.1371/journal.pone.0051067.
Fagan, Michael, Yusuf Albayram, Mohammad Maifi Hasan Khan, and Ross Buck. 2017. “An Investigation into Users’ Considerations towards Using Password Managers.” Human-Centric Computing and Information Sciences 7, no. 1. https://doi.org/10.1186/s13673-017-0093-6.
The Pernicious Problem of Passwords.” n.d. Asisonline.org. Accessed November 25, 2022. https://www.asisonline.org/security-management-magazine/articles/2022/09/the-pernicious-problem-of-passwords/.
“Time to Rethink Mandatory Password Changes.” 2016. Federal Trade Commission. March 2, 2016. https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2016/03/time-rethink-mandatory-password-changes.
IBM Cybersecurity Intelligence Index Reports
Verizon Data Breach Investigation Reports