Will data, metrics and a scientific approach eventually eliminate all human cyber risk?
Written by Oz Alashe MBE, CEO and founder of CybSafe, Winner of Digital Leader 100 SME of the Year 2019
In 1971, astronaut David Scott stood before cameras mounted on the Moon armed with a feather in his left hand and a hammer in his right.
“I guess one of the reasons we got here today,” Scott explains via a microphone hidden beneath his space suit, “was because of a gentleman named Galileo.”
Scott is preparing to test of one of Galileo’s famous theories. The theory predicts that, in the absence of air resistance, both the hammer and the feather will fall at the same speed.
Scott holds both objects in his outstretched arms.
“I’ll drop the two of them here,” he continues, “and, hopefully, they hit the ground at the same time.”
As several comments below the YouTube clip testify, what happens once Scott releases the objects defies belief. The feather and the hammer descend as equals. Moments later, they meet the Moon’s surface at exactly the same time.
For those of us who live on Earth, the scene is difficult to comprehend. Our intuition suggests that the heavy hammer should plummet while the light feather lags behind.
Could our intuition really be that far off the mark?
The answer is yes — because our intuition is imperfect. If you need several examples, take a second to look around.
You’ll be fooled into thinking that the Earth is flat, that it’s bigger than the sun and that the sun must be revolving around our stationary position, all of which have been disproven through scientific evaluation.
The scientific method
Science is, in many ways, the opposite of intuition. Where intuition is the ability to understand instinctively, science is the testing of assumptions through recorded data. Intuition is often imperfect. Arguably, science was born to account for its imperfections.
Unfortunately, when considering how to reduce human cyber risk, security professionals have historically had no other option than to rely on intuition. The field, after all, is relatively new. But it’s also a field that’s proving difficult to negotiate using intuition alone.
Today, for example, we know raising security awareness alone doesn’t reduce human cyber risk — counter to intuition. Similarly, it seems that demonstrating how to eliminate cyber risk rarely motivates people to do so.
With today’s “data revolution” now in full swing, should we consider moving away from intuition?
Data science is currently making everything from driverless cars to remote cancer diagnoses possible. Could data, measurement and a scientific approach help reduce — and even eliminate — human cyber risk?
Using data to reduce human cyber risk
Here’s how it works here at CybSafe.
First, we interrogate enormous datasets to reveal key indicators of human cyber risk, such as attitudes towards security, for example. A second layer of interrogation reveals the variables that can move indicators of human cyber risk in the right direction (for example, what people think other people around them think about security).
Armed with our metrics, we design, build and launch security interventions that nudge certain variables in the right direction. By continuously monitoring all metrics, we can evaluate progress scientifically and ensure human cyber risk begins to fall. With AI machine learning, the whole process becomes automatic.
What’s perhaps most exciting is that the above isn’t science-fiction. It’s a method already in use today, with encouraging results. For example, we can now say with confidence that, after a scientifically designed CybSafe behaviour intervention, 91% of CybSafe users no longer exhibit high-risk phishing behaviours that contribute to human cyber risk.
Time to update
While the above is, for me at least, heartening, the question posed at the beginning of this article remains: if our industry continues to take steps in the right direction, will data, metrics and a scientific approach eventually eliminate all human cyber risk?
Personally, I think that’s unlikely. While I’m more optimistic than most, I find it difficult to envision a nearby future in which all human cyber risk has been relegated to the history books.
However, I’m also entirely convinced that a scientific approach, underpinned by deep data-driven nsight, can demonstrably change security awareness, security behaviours and organisational culture for the better, dramatically reducing
human cyber risk in turn. It’s irrefutable, and I think it’s time us security professionals updated our collective outlook.
All the way back in the 16th century, the scientific forefather Galileo Galilei highlighted the advantages of science over intuition.
Isn’t it time we took the lesson on board?
Learn more about CybSafe here.
Originally published at https://digileaders.com on July 2, 2019.