To say that cybersecurity has gotten confusing and complicated is an understatement, yet many of the debates about information security have been ongoing for more than 30 years. Many of the debates have centered around semantics, education, compliance, security posture & practice, risk management and technology. Technology and compliance have advanced more rapidly than the other topics in the debate with more than 5,000 cybersecurity vendors, 30 plus global standards and cyber frameworks and growing rapidly.
Security posture and practice have also evolved along with technology which makes sense given we have learned by our mistakes or events that result in a breach in a trial by fire approach. The evolution of cyber information security has coincided with the rapid evolution of communications through the internet, connected networks and devices and the need to compete for digital data in every industry and organizational setting. Processing speed, access, distributed services, automation and data markets have rendered traditional security practice obsolete as cybercriminals have reversed engineered both offensive and defensive tools we create to counter legacy security measures put in place.
In the face of increased spending on cybersecurity, staff and the latest security approach, we fall further behind in what is called a cyber paradox, yet this is not a paradox at all. At least, it shouldn’t be a paradox because there is more that we still disagree on than we agree. It seems we all have an opinion about one or more aspects of cybersecurity but can’t agree on the things that make a material difference in outcomes that matter. Cybersecurity has become a consortium of competing camps each with a particular focus on a specific problem but lacking a comprehensive solution. I am equally guilty of espousing an approach to cybersecurity based on what I believe is a core issue.
The difference in opinion is a perennial problem that is partly driven by the opportunity to create a tool or technology to address a gap or perceived gap but does little to inform a holistic approach. With that said, let me say up front that the vulnerabilities that we collectively have created by dividing up the cybersecurity space into micro solutions have missed an obvious gap in cyber information security – the impact on human actors responsible for ensuring the security of data and access to proprietary systems.
If the focus had been on making security central to how humans use technology, share technology and data and access technology for work and entertainment, would we be in the same position today? It is hard to say after 30 years of ignoring the human machine interaction other than the user interface. Pandora’s Box has been opened and it may not be possible to put the Genie back into the box, but it also may not be too late. So, what would it take? A mind shift.
Taking a Look at Vulnerabilities
If you are familiar with Zero Trust, that is exactly the type of mind shift in thinking about human actors as it does with technology. Human error is often at the root of breaches and vulnerabilities in cyberspace as will be demonstrated with two examples in data breach reports. The risk of human error is often underestimated when innovation is valued above security and access to low or zero cost talent is welcomed. We may never know whether this was a deliberate act or just a case of simple human error, but either way, Log4j is one of a number of major vulnerabilities that threaten the experiment we call the Internet.
The details of error(s) tend to get buried in silence. But news of the vulnerability has spread rapidly. It hasn’t taken attackers long to launch millions of attacks since the discovery of the Log4j vulnerability. Log4j has not yet been fully mitigated as of the writing of this chapter, but patches are being applied. The scope of vulnerability in Log4j is massive and may take years to fully address. This is the nature of human factor risks. The vulnerabilities are simple, yet the threats are large, highlighting the asymmetry of cyber risks. Log4j is yet another example of how risks at the human machine intersection are hidden until major failure occurs. Risk assessments that only focus on known risks will seldom discover vulnerabilities like Log4j. A more comprehensive approach to risk assessment is needed to account for human factors and the inherent uncertainty in behavior.
Risk is a social and analytical experience with influence factors that are not always obvious to decision makers. Risks in cyberspace are even harder to recognize in cyber risk. An example of a hard to recognize cyber risk dubbed, cognitive hacks, illustrates how skilled attackers target cognition to change behavior in order to get around security controls. Cyberattackers have become adroit observers of human behavior, by conducting reconnaissance prior to an attack to avoid detection. It would stand to reason that cybersecurity professionals should also incorporate human factor risk analysis into their existing practice, but it has been a challenge getting risk professionals to pay attention.
Risk professionals need a more nuanced understanding of inherent risks as well as an awareness of residual risks. Risks are not one-dimensional. Three-dimensional risks require that cyber risk methodologies assume threats exist internally and externally in all devices, systems and networks, as well as with the people, partners and vendors who use and are responsible for security. That approach requires a Zero Trust for humans as well as technology.
Discovering The Human Desire
No one-size-fits-all approach is optimal, even ZTA. Cyber risk management involves a multilateral risk assessment of networked environments inclusive of all human activity, including attackers. Assuming otherwise is the same mistake taken in subjectively defined risk frameworks. Instead of looking for a silver bullet solution, the evidence of attacker success rates is confirmation a silver bullet does not exist. This is like asking for one risk metric to provide assurance for all organizational risks are being addressed.
This is an honest human desire, but a naïve one. Humans desire simple solutions in a complex world, nonetheless, simplicity is a complex design problem that takes time to develop. Risks are not finite, nor static and a large majority of risks are yet to be discovered. The Covid pandemic is an example of how impatience leads to uncertainty instead of a return to normality. Uncertainty still exists whether a person can look around corners or not. Once uncertainty is accepted only then can the methods of solving for it begin in earnest. Unlike risk, uncertainty can’t be seen until it is experienced or is acknowledged as a risk. This fallacy in cognition is called an uncertainty bias.
Uncertainty bias is a real phenomenon. Ever wonder why some investors in financial markets complain about uncertainty when one political party is in office yet when a different political party takes over uncertainty miraculously disappears? That is one form of uncertainty bias, there are others. Uncertainty bias is situational. Uncertainty avoidance is how cultures differ on the amount of tolerance they have for unpredictability.
Uncertainty avoidance is one of five key qualities or dimensions measured by the researchers who developed the Hofstede model of cultural dimensions to quantify cultural differences across international lines to better understand why some ideas and business practices work better in some countries than in others. According to Geert Hofstede, “The fundamental issue here is how a society deals with the fact that the future can never be known: Should we try to control it or just let it happen?” Uncertainty acceptance is a societal choice. Some countries have experienced pushback in the Covid pandemic resulting in excessive death rates while other countries have lived safely through the virus.
Paradox Risk Management
The concept of risk is multidimensional and requires an arsenal of tools to fully address the social and analytical aspects of risk management more effectively. Cybersecurity is an excellent example for demonstrating why purely subjective approaches in risk management fail. Two reports of cyber breach data are presented by different technology service providers to find patterns in cyber threat behavior. The goal is to understand how to recognize cognitive risk patterns in the data in order to reframe how hidden risks continue to leave organizations vulnerable to attack.
Cyber risk is the most complex facing organizations today and will continue to become a critical challenge in a digital business environment. Cybercrime is estimated to be in the trillions of dollars annually and continues to grow unabated and has become a tax on businesses, small and large. As the scope of cybercrime grows from ransomware, viruses, phishing attacks and other methods, the cost of defending against theft and data exfiltration has skyrocketed along with insurance premiums and losses. The cyber paradox is the conundrum of cyber theft increasing faster than cyber defenses to deter intruders. No entity is exempt, with federal government agencies, corporations, military defense contractors and private enterprises all experiencing impacts. There are no simple solutions to the threat of cyber risk but there is an opportunity to rethink how security can be implemented to narrow the gap in security against the threat.