How user experience and behavioural science can guide smart cybersecurity

Society needs to be equipped to defend against cyber attacks. More than at any time in our history, cyber criminals, hostile nation states and other malicious actors have access to sophisticated technology that can disrupt the operations of critical infrastructure, businesses, governments and the daily lives of people throughout the world.

Some 82% of cybersecurity breaches in the last year were due to a human element. The disruptive Colonial Pipeline ransomware hack that took down the largest fuel pipeline in the US and led to shortages was the result of a compromised password and password reuse. Weeks later, JBS – the largest meat producer in the world ­– was hacked through a Qbot malware infection thought to have spread through a phishing email.

Complicating the matter, hackers are using technology developments that defenders use to protect users such as machine learning and artificial intelligence (AI) to subvert detection and social engineer.

Today’s phishing attacks are increasingly narrowly targeted and crafted to subvert traditional email detections. Attackers use AI to conduct reconnaissance from social media profiles at scale, replicate communication styles of trusted contacts and create convincing deep fake audio or video messages to use in ransomware or spear phishing attacks.

The three-dimensional environment of the metaverse could also facilitate more effective use of such social engineering methods. This means people need to be more empowered and informed than ever to identify and respond to new threats.

In considering our response, we need to focus on securing our hardware and software, but just as much attention should be paid to securing human behaviour.

We live in the digital era where the average person spends six or more hours online a day, has 10 connected devices in the home, and has at least 100 accounts online – and these numbers will continue to grow.

Governments, private sector players and educational institutions need to invest in training all citizens. The Estonian government’s cyber education model is a best-in-class reference, having reinvested in education and training programmes in partnership with academia and the private sector.

The government has focused on training all citizens from informing the elderly on cybersecurity, to teaching kindergarten pupils how to code and showing teenagers how run security checks on the devices of their parents and family members in order to empower households to take responsibility.

Private sector organizations should open cyber awareness and training materials both for customers and non-customers with the aim of benefiting all society. Santander and other private organizations have taken the lead in opening and sharing free cybersecurity training on their websites.

The World Economic Forum’s Cybersecurity Learning Hub is a good model that aggregates resources for small businesses and individuals through resources from the private sector.

Regular training, coupled with practical exercises are proven mechanisms to create a real difference. In the same way that schools run fire drills, controlled ethical phishing simulations and tests in school curriculum to spot deep fakes and social engineering techniques on messaging and social media can be beneficial.

Cities could also run controlled social engineering exercises with small businesses who opt-in.

A combination of cyber training, awareness and tech solutions that nudge people into the right behaviours is an essential component of holistic cybersecurity.

Every technologist’s ambition should be to make risk mitigation an unconscious ‘habit’ that’s embedded within a product. The user experience (UX) must always default to the secure option – to enable people to take basic security steps.

It would be good practice for mobile operating systems to default to always enabling automatic software updates. Laptops and desktops should present encryption as a default. Multifactor factor authentication (MFA) or second factor authentication (2FA) should always be the default option.

Behavioural economist Dr Richard Thaler commented in his book Nudge: “If you want to get people to do something, make it easy. Remove the obstacles.”

Gmail security is an illustrative example of the impact a tech solution can have on secure behaviours. Since 2011, when Google rolled out its 2FA feature for Gmail, they reported that less than 10% of users had it enabled on Gmail. In 2021, Google announced that it will switch on 2FA by default.

For most consumers today, security is already a top concern. Informed consumers are already beginning to demand companies and manufacturers to integrate and demonstrate commitment to security. An area where this is already beginning to happen is with internet of things devices.

Meanwhile consumer protection bodies, companies and academia are exploring the use of security and privacy labels for devices (akin to nutritional fact labels) to equip consumers with information at moment of purchase. Efforts are moving forward internationally in the UK, Finland and Singapore.

As we move more into the metaverse, headsets and other wearable devices will become more important; users would benefit from standards on how these devices protect their data. These types of awareness initiatives help to create a more robust and secure ecosystem of conscientious users.

In short, as technology and cyber threats evolve, it’s more important than ever to invest in people. A robust cyber ecosystem must incorporate training, awareness and UX to deliver smarter cybersecurity.

Combined efforts by the public and private sectors are the best mechanism to deliver these cybersecurity initiatives and to drive greater confidence and trust online.