From weakest link to security factor

Verena Zimmermann is convinced that it is too simplistic to view people solely as a risk factor in cyber security. Rather, the special abilities of users should be utilised in a targeted way in order to increase cyber security.
Verena Zimmermann ist Assistenzprofessorin für Sicherheit, Privatsphäre und Gesellschaft an der ETH Zürich. Ihre Forschungsgebiet sind menschlichen Aspekte bei der IT-Sicherheit und dem Datenschutz.

When it comes to cyber security, many people initially think of sophisticated technologies, such as encryption programs, email filters or anti-virus software. However, even the best encryption program is of little benefit if it is not used. Weak passwords are definitely a risk factor. But the reason for this is not necessarily laziness or ignorance. The human brain is simply not designed to remember 50 or more different random passwords. Yet when it comes to cyber security, people are often referred to as the “weakest link”, a “risk” or a “problem”. While both people and technology are relevant, it is the interaction between people and technology that is crucial to the success of cyber security.

Minimising the human factor?

In the past, attempts were frequently made to largely eliminate the “human factor” by avoiding, severely restricting or regulating user interaction. Examples of this include strict guidelines, such as a monthly password change, banning USB sticks or automating processes.

«The strategy whereby people simply adapt to technical specifications is only moderately successful.»      Verena Zimmermann

Security guidelines can be helpful. However, if guidelines conflict with daily workflows or are not easy to apply, users often develop insecure strategies to circumvent them. For example, they may keep their password in an open place because it is difficult to remember, or they may simply add a number to the end of their password if frequent password changes are required. Unfortunately, this behaviour often makes an attack much easier. The strategy whereby people are asked to simply adapt to technical specifications is therefore only moderately successful.

Targeted attacks becoming more common

The rise in the number and quality of cyber attacks that target the “human factor” is also worrying. Phishing attacks, for example, use social engineering in an attempt to trick people into downloading malicious attachments or entering their secret log-in details on fake websites.

Cyber-security research must therefore start to break new ground. Among other approaches, recent research aims to improve the fit between people and security solutions. Password alternatives generated from images or gamified training, for example, can help make users more aware of cyber threats. This should help to better bridge the gap between technical requirements and human capabilities.

In my opinion, however, it would make even more sense to understand and utilise the untapped potential of people and their abilities.

Making better use of human potential

This potential is in fact well known from psychology and related safety research: people are highly creative, adaptable to new situations, and capable of making good decisions even when faced with uncertainty. So far, we have mainly focused on what people do wrong and tried to prevent it. However, if we also analyse what people do right and why, we can develop new approaches to cyber security.

Phishing is a good example of this: researchers have found that human intuition and pattern recognition, honed by years of experience, is often superior at detecting subtle phishing attempts compared to complex algorithms. Therefore, if we understand why some people not only recognise phishing emails but also report them and proactively warn others, we can investigate how we can better support others in this task.

In today’s dynamic threat environment, the high degree of flexibility and adaptability of people could be key. If we manage to establish a culture in which each and every individual feels a responsibility – and is also motivated and empowered to act accordingly – we could make a decisive contribution to cyber security. It is time to stop seeing people as the weakest link and to start seeing them as a valuable security factor.

Further informations

Zimmermann, V., Schöni, L., Schaltegger, T., Ambühl, B., Knieps, M., & Ebert, N. (2024). Human-Centered Cybersecurity Revisited: From Enemies to Partners. Communications of the ACM. https://doi.org/10.1145/3665665