The biggest challenge in cybersecurity? Human nature

“We trust companies like we trust friends: you get screwed over once, and it’s an uphill – often almost vertical – battle to win you back.

Read the original article on WIRED UK

They say that, on the internet, nobody knows you’re a dog.

Or, at least, they used to. As memes go, that image macro of whichever unwitting pup propped (painstakingly, fleetingly, trustingly) up with its paws on a keyboard, masquerading nominally as human is unquestioningly posing somewhere on the Venn diagram between ‘twee’, ‘nostalgic’ and ‘things from the internet your kids don’t remember, and will judge you for’. Panting mascot of portent he (or she) was not.

The 1993 New Yorker cartoonist originally responsible for the gag, Peter Steiner (the pencil that launched a thousand copy-dog memes) couldn’t possibly have guessed over 20 years ago how hot-button an issue anonymity and trust online would become: as bored script-kiddies, organised crime gangs and multi-billion-dollar government agencies sprouted, flowered and burst like cyber-spores onto an unsuspecting internet – targeting everyone and their nan (especially the nans) with schemes designed to exploit trust. The more we rely on devices for the day-to-day running of our lives, the lower we dangle like fruit for criminals who needn’t – necessarily – be much more security-conscious than your average user.

“Folks who have been tasked with cybersecurity have been, for the past few decades, building defenses using a model of isolation,” says Allison Miller, Product Manager in Security and Privacy at Google. “But what’s happening with technology today – particularly consumer technology – is that we are becoming interconnected… People have become the new target. As opposed to, for example, all attackers focusing on getting into sensitive enterprises to get their corporate data, there’s a lot of bad behaviour that ends up getting focused on users.”

Miller and Google’s security team are building the tools that gently (or in some cases, urgently) steer users safely away from sites that might might have been designed or compromised to install malware or phish for personal data. Perhaps the most readily familiar example of the team’s work is the joltingly all-red Chrome warning screen: the page to which a user gets diverted should they stray, unwittingly, into dangerous territory; the online equivalent of being tackled to the ground by a rugby player before you dive, ball-in-hand, onto a landmine.

It’s an example of why internet users need security teams working unseen on their behalf: as online attack vectors become more and more numerous and sophisticated, the average user just can’t – and can’t be expected – to keep up.

And that’s a problem that doesn’t just apply to individuals: while the enormous, household-name internet companies can afford to throw diamond after gold brick at protecting their data (even then not always successfully), smaller companies rely just as heavily on consumer trust, and have to decide how much budget to allocate to it from comparatively thimble-sized pots.

“[That’s] the question of the ages: how do you determine how much to invest in security?” says Miller, of the line between protection and paranoia for smaller companies. “And that is not something I can answer simply… It’s worth it to sit down and figure out what is most valuable to you, what you have that might be most valuable to folks who would do ill or might potentially take advantage of you.

“The complexity rises as you go from being an individual to being an organisation, but unfortunately… I think large enterprises are in the best position to find experts who will help them what’s at [risk] and how to protect it.”

Whatever their size, companies that misjudge the allocation of resources for security (or are just unlucky) stand to lose more than just client information and money. Data dumps of user’s info – as any former Ashley Madison member might tell you – also cost companies a second digital currency: trust. Human nature doesn’t scale up well to the company that – through bad luck or negligence – is ultimately responsible for your credit card details ending up on a mile-long list of account numbers and sort codes swapping back and forth on the dark web. We trust companies like we trust friends: you get screwed over once, and it’s an uphill – often almost vertical – battle to win you back.

“Institutional trust was not designed for the digital age,” says Rachel Botsman, three-time-TED speaker on how trust translates into the digital world and author of ‘What’s Mine is Yours’ and the upcoming ‘Who Can You Trust?’. “What I mean by that is if you think of risk mechanisms, whether that be the way we think about government, or regulation, or insurance contracts – they were all designed during the industrial revolution and haven’t really evolved that much. So when we talk about institutions rebuilding trust, there is this belief that we can go back to this institutional era of trust that was very opaque, very top-down and very decentralised.”

The interim solution is already here, albeit in nascent form: ‘trust scores’. Ebay was built on them; so too companies like Amazon, Airbnb and TripAdvisor. In lieu of knowing a stranger in person, we trust a combination of star ratings, reviews and numbers thereof. The mass decentralization of the internet forces us not to trust a stranger, but an aggregate: a web of dozens, hundreds or thousands of strangers. As it is now with the auctioning of celebrity autographs or the buying of an impregnable sub-£20 pop-up tent, so it will be with banks, public institutions – maybe even governments.

“I think these rate and review systems are inevitable, and I think these will be the tools that we use to assess trustworthiness,” Botsman says. “I’m not saying that should be the goal. Trust is highly contextual.

“If the goal is to increase trustworthiness, whether that’s a corporation or an individual, you’ve basically got two ways of doing that. The old way was through legislation and regulation, which led to more standards and more compliance. I’m not saying that’s going to go away. But the other option is: how do you provide information that empowers individuals to assess trustworthiness themselves? And that’s what I think we’re in the very, very early stages of figuring out.”

All of which neatly covers two extremes on a spectrum. If you’re a one-person business – a consultant or freelance-anything – your ‘trust score’ will be up there on your CV above and below your name. At the other end: if you’re a million-or-billion pound enterprise and slip up, there’s no cushion like cash. The question is: what about the people in the middle? Where is the room for experimentation, failure, progress, if the internet’s web of strangers turns against your company in its first week?

“I think that small businesses are in an interesting spot, because they don’t necessarily have the investment or the technical expertise of an enterprise, but they have to think like an organisation,” says Miller. “They have to think in a different way to individuals, and to me: that’s where the biggest gap or question mark is in cybersecurity today.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s