loader image

How user experience and behavioural science can guide smart cybersecurity

by | Nov 2, 2022 | Cybersecurity

How user experience and behavioural science can guide smart cybersecurity

by | Nov 2, 2022 | Cybersecurity

United States Air Force, Public domain, via Wikimedia Commons

How user experience and behavioural science can guide smart cybersecurity

by | Nov 2, 2022 | Cybersecurity

Society needs to be equipped to defend against cyber attacks. More than at any time in our history, cyber criminals, hostile nation states and other malicious actors have access to sophisticated technology that can disrupt the operations of critical infrastructure, businesses, governments and the daily lives of people throughout the world.

Some 82% of cybersecurity breaches in the last year were due to a human element. The disruptive Colonial Pipeline ransomware hack that took down the largest fuel pipeline in the US and led to shortages was the result of a compromised password and password reuse. Weeks later, JBS – the largest meat producer in the world ­– was hacked through a Qbot malware infection thought to have spread through a phishing email.

Complicating the matter, hackers are using technology developments that defenders use to protect users such as machine learning and artificial intelligence (AI) to subvert detection and social engineer.

Today’s phishing attacks are increasingly narrowly targeted and crafted to subvert traditional email detections. Attackers use AI to conduct reconnaissance from social media profiles at scale, replicate communication styles of trusted contacts and create convincing deep fake audio or video messages to use in ransomware or spear phishing attacks.

The three-dimensional environment of the metaverse could also facilitate more effective use of such social engineering methods. This means people need to be more empowered and informed than ever to identify and respond to new threats.

Everyone needs to be trained on cybersecurity

In considering our response, we need to focus on securing our hardware and software, but just as much attention should be paid to securing human behaviour.

We live in the digital era where the average person spends six or more hours online a day, has 10 connected devices in the home, and has at least 100 accounts online – and these numbers will continue to grow.

Governments, private sector players and educational institutions need to invest in training all citizens. The Estonian government’s cyber education model is a best-in-class reference, having reinvested in education and training programmes in partnership with academia and the private sector.

The government has focused on training all citizens from informing the elderly on cybersecurity, to teaching kindergarten pupils how to code and showing teenagers how run security checks on the devices of their parents and family members in order to empower households to take responsibility.

Private sector organizations should open cyber awareness and training materials both for customers and non-customers with the aim of benefiting all society. Santander and other private organizations have taken the lead in opening and sharing free cybersecurity training on their websites.

The World Economic Forum’s Cybersecurity Learning Hub is a good model that aggregates resources for small businesses and individuals through resources from the private sector.

Regular training, coupled with practical exercises are proven mechanisms to create a real difference. In the same way that schools run fire drills, controlled ethical phishing simulations and tests in school curriculum to spot deep fakes and social engineering techniques on messaging and social media can be beneficial.

Cities could also run controlled social engineering exercises with small businesses who opt-in.

Receive actionable information

* indicates required

The secure option should always be the default

A combination of cyber training, awareness and tech solutions that nudge people into the right behaviours is an essential component of holistic cybersecurity.

Every technologist’s ambition should be to make risk mitigation an unconscious ‘habit’ that’s embedded within a product. The user experience (UX) must always default to the secure option – to enable people to take basic security steps.

It would be good practice for mobile operating systems to default to always enabling automatic software updates. Laptops and desktops should present encryption as a default. Multifactor factor authentication (MFA) or second factor authentication (2FA) should always be the default option.

Behavioural economist Dr Richard Thaler commented in his book Nudge: “If you want to get people to do something, make it easy. Remove the obstacles.”

Gmail security is an illustrative example of the impact a tech solution can have on secure behaviours. Since 2011, when Google rolled out its 2FA feature for Gmail, they reported that less than 10% of users had it enabled on Gmail. In 2021, Google announced that it will switch on 2FA by default.

Consumer-led cybersecurity is vital

For most consumers today, security is already a top concern. Informed consumers are already beginning to demand companies and manufacturers to integrate and demonstrate commitment to security. An area where this is already beginning to happen is with internet of things devices.

Meanwhile consumer protection bodies, companies and academia are exploring the use of security and privacy labels for devices (akin to nutritional fact labels) to equip consumers with information at moment of purchase. Efforts are moving forward internationally in the UK, Finland and Singapore.


This article was republished from World Economic Forum under a Creative Commons license to point warfighters and national security professionals to reputable and relevant war studies literature. Read the original article.


[Sassy_Social_Share]
Lisette Guittard

Lisette Guittard is Global Head of Cyber Secure User Experience of Banco Santander. This article does not constitute endorsement of Analyzing War by the author/s.

Related Articles

Expert: TikTok could be a risk to national security

Expert: TikTok could be a risk to national security

More than 86 million Americans use the social media app TikTok to create, share, and view short videos, featuring everything from cute animals and influencer advice to comedy and dance performances.
Concerned experts point out that TikTok’s parent company, the Beijing-based ByteDance, has been accused of working with the Chinese government to censor content and could also collect sensitive data on users.

Pentagon leaks suggest China developing ways to attack satellites – here’s how they might work

Pentagon leaks suggest China developing ways to attack satellites – here’s how they might work

The recent leak of Pentagon documents included the suggestion that China is developing sophisticated cyber attacks for the purpose of disrupting military communication satellites. While this is unconfirmed, it is certainly possible, as many sovereign nations and private companies have considered how to protect from signal interference.

Ransomware Attack Hits Marinette Marine Shipyard, Results in Short-Term Delay of Frigate, Freedom LCS Construction

Ransomware Attack Hits Marinette Marine Shipyard, Results in Short-Term Delay of Frigate, Freedom LCS Construction

The Wisconsin shipyard that builds the U.S. Navy’s Freedom-class Littoral Combat Ship and the Constellation-class guided-missile frigate suffered a ransomware attack last week that delayed production across the shipyard, USNI News has learned.

Fincantieri Marinette Marine experienced the attack in the early morning hours of April 12, when large chunks of data on the shipyard’s network servers were rendered unusable by an unknown professional group, two sources familiar with a Navy summary of the attack told USNI News on Thursday.