Batman and Robin, Butch Cassidy and the Sundance Kid, cybersecurity and Human Factors. What do they all have in common? They all have synergy. When thinking about cybersecurity, one does not automatically think about the relevance of Human Factors. However, this blog will attempt to enlighten the reader on the importance of the synergy between cybersecurity and Human Factors.

First, we need some definitions so that we are all on the same page. Cybersecurity can be defined as the technologies, processes and people that are designed to protect systems, networks and data from cyber attacks. Human Factors can be defined as improving the interactions between humans and machines.

The golden rule of cybersecurity is that “the human is the weakest link”. This claim can be backed up by the fact that 95% of all cybersecurity incidents are caused by human error (Clark and Misstear, 2021). This is where Human Factors comes into play, since the human is a fundamental part of where things can go wrong in cybersecurity. Since the human is the end user, Murphy’s Law, “anything that can go wrong will go wrong”, and the phrase ‘to err is human’ should be carefully considered with cybersecurity.

A first step to improve cybersecurity, on an individual level, is by implementing Multi-factor authentication (MFA). This applies when there is more than one step to access a given system. There are three main aspects of this. MFA is something that you

 know (password)

have (phone or email to get another code sent to you)

are (biometrics - a fingerprint or iris scan)

While using MFA is far more secure, it can often be perceived as inconvenient. Reliance on MFA is better assured if users understand why they should follow the steps. The instructions also need to be clear, intuitive and the authentication needs to be seamless, which helps to improve the user experience (UX).

Organisational culture is a key way to combat cyber threats/attacks. Organisational culture defines how an organisation defines its shared values and assumptions on how people behave and interact and how work activities should be carried out. Therefore, an organisation’s cybersecurity culture determines how secure it is. A robust organisational culture is vital to improve cybersecurity and is can be fostered by providing training for employees on appropriate behaviour, assumptions and values. For example, by encouraging strong passwords, implementing MFA, banning the use of USBs and thinking twice about what is said and shared in emails. Employees social media posts and images are often used and abused by social engineers to achieve their aims too. It would also be wise to enlighten employees on best practice when information sharing.

Social Engineering is a form of psychological manipulation on individuals and a popular tactic among hackers as a first step to gain access personal information or entry to a system. Individuals should also remain vigilant for forms of social engineering such as (spear) phishing, vishing and smishing. Phishing is when an electronic communication pretends to come from a legitimate source but is in fact an attempt to install malware on the recipient’s device to get sensitive information from the recipient. Impersonation is another tactic used. Avoiding falling for social engineering also includes thinking twice about holding a door open to the business for someone they have never seen. Someone could walk straight to the system that they want access to without even being stopped.

The Swiss Cheese Model (SCM) is an important concept in risk analysis and management and error prevention, both relevant and used in the fields of (cyber)security and Human Factors. The SCM is helpful for identifying weak spots, developing strategies to avoid weaknesses and error and to demonstrate the value of adding additional layers of protection to any system. Think of the holes in the cheese as places cyber attacks can penetrate. By having many layers of cheese (protection) this will make it far harder for the holes to line up, i.e. make it harder for cyber threats to penetrate a system.

The term Industrial Espionage covers a range of activities performed to gain competitive advantages or sabotage and involves insider and outside threats. This is where human motivation and ability to penetrate systems meet in a destructive manner. Insider threats could be an aggrieved employee who has a bone to pick with a company. Make the working conditions and salaries conducive to happy employees. Outsider threats could be rival companies trying to access information to gain commercial advantage. There also could be state actors if the organisation or company deals with systems that are sensitive to national security.

Autonomous Systems include autonomous control of buildings, warehouses or vehicles, UAV’s, robots that interact with humans and software for assisting human tasks. Whilst an autonomous system can greatly assist humans in hazardous, physical or cognitively demanding tasks and environments as well as process and analyse vast quantities of data entire systems, it will have vulnerabilities. Implementing Human Factors and security strategies such as modelling, surveillance, vigilance and training are essential. All lines of technology and human defence are need to be implemented given the huge security and safety implications if a system is breached.

There is often a common misconception that cyber threats are carried about by hoodie wearing hackers in a darkened room frantically typing creating persistent and unstoppable threats. The reality is that the human on the receiving end has many simple lines of defence that can make the cyber attackers' efforts far more difficult. None of the techniques mentioned in this blog need any advanced technical training to mitigate the risk of cyber attacks. The implementation of Human Factors and an increased awareness and understanding of cyber threats can significantly improve the cybersecurity of a system.