Hacking humans

Human factors have always been the bane of security professionals, and social engineering is also high on the list of factors requiring mitigation measures and controls. Yet their very nature makes them highly variable – humans will always work out circumvention to a control if it makes their lives easier.

We, security professionals, also have limited storage capacity for random data (like complex, always changing passwords), and we are always willing to assist another human “holding doors open”, answering seemingly innocuous questions, passwords, date of birth, etc.

However, the number one kicker is the divulging of personal information and giving up privacy for free participation in social networks.

A security awareness level of an individual is something that I have repeatedly droned on about over recent years.

Bringing that level of security education up for everyone within your remit, and not just their organisational security awareness – but also their personal and privacy awareness – should be your aim.

My security testing team, in conjunction with learning professionals, has developed a series of generic awareness e-learning programs designed to be deployed within organisations, to educate and raise their employee levels of personal and organisation security awareness.

For the past two years, and for the next two years, we’ll deliver all the Federal Governments Stay Smart Online Cyber Alert Service awareness content.

Therefore, we have significant experience in the human factor security arena and importantly the measurement of cognition around security messaging.

So on to hacking humans. Put simply, brains are computers, and as computers can be hacked, so too can brains.

It has been revealed, for better or worse, that Facebook researchers recently conducted a study where they deliberately manipulated member feeds using keywords to affect their mood.

The results, somewhat unsurprisingly, demonstrated those receiving positive messages promoted from their feed were found to be subsequently more positive themselves, and vice-versa. Those receiving the “negative” friends feed were down.

“So what?” some will say, “I’m in security, I don’t use social media” blah, blah, blah. Just stop and smell the roses for one second, those around you do.

If the big data organisations are now moving from simply knowing your friends, colleagues, acquaintances and enemies’ private information, shopping and online habits and onto mood manipulation, what’s next?

Some brains and the mental health contained within are fragile, so deliberate fiddling by big data could exacerbate an individuals issues, particularly when it’s that subtle.

So dear security pro, time to add a blind-fold to that tinfoil hat ensemble.

Just because Facebook is the one that has let this particular cat out of the bag, you need to look at what are the other data companies doing undisclosed and behind the scenes in this area – Google and Apple, for example.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackershacking

More about AppleFacebookGoogleSmart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Tett

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place