UK researchers have been granted £1.1m to find out why human error is behind so many cybersecurity incidents and why people don’t seem to learn from cyber awareness campaigns.
The wide-ranging study, which is being led by the University of Surrey, will explore how “personalized” security awareness training can change behavior in a way to reduce human-related risks and help fight cybercrime. The research will look at behaviors and what motivates all online actors, from cybercriminals to victims, policy makers and business and government.
As the university explains, the researchers intend to map out the behaviors that make people and organizations vulnerable to cyberattacks, as well as software for tracking behavioral changes and whether these lead to reduce risks.
The project also wants to monitor how attack strategies change over time, given how technology evolves and defenses adapt to new threats.
The study will look at how to understand and influence cybercriminals, understand human behaviors that can be exploited by hackers, and develop personalized ways to encourage more secure behavior.
A team of computer science and cognitive psychologists at the US NIST last year blamed poor cyber practices on “security fatigue”, caused by an overload of tasks, such as remembering up to 30 passwords. That researchers blamed software designers for not making security user friendly. Numerous other studies have found that while people do struggle with passwords, few use password managers. A Pew found that 3 percent of Americans regularly rely on a password manager, while 65 percent tried to memorize passwords, and 18 percent wrote them down in paper.
The Surry University researchers cite a 2014 report by IBM that found 95 percent of security incidents involved “human errors”.
According to the researchers, responses to human-related cyber risks remain hampered by people tending to think of cybercrime as limited to the virtual domain, and they don’t connect that to norms in the physical world. This mindset continues despite the rise of the Internet of Things.
“In this context, the unprecedented linking of individuals and technologies into global social-physical networks - hyperconnection - has generated exponential complexity and unpredictability of vulnerabilities,” they write.
The researchers also draw attention to the lack of personalization in efforts to raise awareness, which often don’t change human behavior.
“The project's overall aim is therefore to develop a framework through which we can analyze the behavioral co-evolution of cybersecurity/cybercrime ecosystems and effectively influence behaviors of a range of actors in the ecosystems in order to reduce human-related risks.”
The two-year project, scheduled to commence in April, will involve 12 cybercrime and cybersecurity experts. They hope to develop a new framework that help citizens, employees, business managers, policy and law makers, governments, and industry better cope with cybersecurity. They’ll also apply the framework to “human-related cyber risks within global transaction and exchange networks” as well as “within hybrid transportation networks involving key cyber elements such as connected vehicles.”
Contributors will come from multiple disciplines, including computer science, crime science, business, engineering, and behavioral science at University of Surrey, UCL, University of Warwick, and TRL.