The main thesis of Zimmermann and Renaud’s paper “Moving from a ‘Human-as-Problem’ to a ‘Human-as-Solution’ Cybersecurity Mindset” is that today’s cybersecurity protocols are treating all humans in an organization as vulnerabilities when the reality is that only a number of individuals are malicious actors. And so the ensuing practice of treating everyone as a cybersecurity problem does not work. A change in mindset may instead be needed.
The authors used the problematization approach described by Bacchi in “Analyzing Policy” to prove the need for transitioning from viewing humans as a problem into treating them as a solution to cybersecurity, which Zimmermann and Renaud dubbed moving from “Cybersecurity, Currently” to “Cybersecurity, Differently.” They answered various questions to come up with conclusions and recommendations, following the process below.
In sum, Zimmermann and Renaud wanted to prove that treating humans as the weakest cybersecurity link is a flawed generalization. They believe it is not fair to accept the existing wisdom without question.
To identify the problem, the researchers looked at three perspectives—those of governments, industries, and hackers.
Zimmermann and Renaud analyzed the government-identified problems in Australia, Canada, the U.K., the U.S., and New Zealand, as they are considered to have the most complete and comprehensive cybersecurity protocols. They used the annual reports of Cisco, Symantec, Palo Alto Networks, Check Point, and Microsoft, meanwhile, to determine the industry-identified problems. And to answer the question from the hackers’ perspective, they considered how hackers compromised systems.
The researchers summed up their findings in the following tables:
Almost all of the issues identified have to do with humans, regardless of their roles. They include software developers, policymakers, employees, and end users. At the governmental level, the problems mainly concerned humans’ lack of knowledge, skills, and awareness to prevent, control, or respond to identified problems and malicious intent. Even the technological and process-related challenges are indirectly related to human behaviors like using outdated technology, overlooking software vulnerabilities, falling for phishing emails, not following security policies, and not sharing responsibility.
All these led to the conclusion that humans are the primary source of security risks and so are a problem to deal with. It is no wonder, therefore, that most if not all current cybersecurity solutions focus on addressing the human problem in what Zimmermann and Renaud dubbed “Cybersecurity, Currently.”
Zimmermann and Renaud’s problem identification revealed the assumptions depicted in the image below about what cybersecurity should do.
In the diagram above, human behaviors are considered problematic. As such, organizations need to act to protect themselves from the actions’ consequences. Companies implement processes to impose control. And these are regularly reviewed to ensure that undesirable actions are curbed. Access to data and technology is severely constrained to prevent breaches.
It is clear that cybersecurity today primarily focuses on controlling humans. While that may be effective at times, we need to factor in that the virtual world changes all the time. Hackers change tools and tactics constantly. So controlling humans to prevent all threats may not work. Enhancing policies and reinforcing compliance efforts to respond to incidents is not always the answer. As the number of cyber attacks continues to rise, the researchers suggest that it may be time to consider changing the “Cybersecurity, Currently” mindset.
Zimmermann and Renaud recommend that we take the “Cybersecurity, Differently” mindset to make the world safer from threats. Instead of thinking of humans as a problem, we should think of them as a solution. Instead of focusing on who did something wrong through root cause analyses (RCAs), we should look at why things went wrong. We should also celebrate successes instead and mimic what was done right. Instead of telling people what not to do, encourage them to learn how to behave securely. Cybersecurity experts need to collaborate and communicate not just with one another but with end users, too. There needs to be a balance between resistance and resilience. These principles are summed up by the diagram below.
This new mindset does not assume that humans will not make mistakes. It just suggests that instead of excluding people from coming up with solutions, they should be consulted. That is the only way that cybersecurity would actually work.
We believe that with any other problem, the best course of action is to take a step back and consider all factors before thinking of a solution and taking action. And if you are to come up with the best solution, you will need to be as objective as possible, which means not taking assumptions or generalizations as fact. The same is true in cybersecurity’s case. Even if humans can sometimes be the weakest link, that is not always the case.
Zimmermann and Renaud may have said it right, we may need to transition from the “Cybersecurity, Currently” to the Cybersecurity, Differently” mindset for better protection against threats.
Afterword by Karen Renaud:
“Cyber security should not be a solo game. Working together, we can defeat the hackers – but we first have to abandon our usual mindset of considering employees to be “a problem” to be controlled and constrained. Humans are not rule-following robots – they have tremendous potential in spotting anomalies and in problem solving. We have to do is to acknowledge this and harness their potential to be part of the solution so that we can all work together to defeat the hackers.”
About Karen Renaud
Karen Renaud is a researcher interested in deploying behavioural science techniques to improve security behaviours. She is a Senior Lecturer at Strathclyde University. She is also a visiting Professor at Rhodes University in South Africa and Abertay University in Dundee, as well as Professor Extradordinaire at the University of South Africa. You can learn more about professor Renaud’s work on her website.