Human-Centered Cyber Security
In our vastly interconnected world, we’re also massively vulnerable. Each device we wear and account we create is just another way for hackers to trick, exploit, and harm us — and they do. Cyber attacks occur constantly alongside decreasing costs and increasing sophistication, from teenagers at your local coffee shop to foreign organized crime syndicates. Want to launch a DDoS attack? Well, if you have $5 and can click a mouse, it’s all yours. Need a zero-day exploit? Well, it turns out pretty much any government (or organized crime group) can buy one, prepackaged, for the right price.
As the Internet of Things permeates society, and our online profiles only continue to (exponentially) grow, this fact is not going to change; rather, it’s going to get much, much worse. If we continue marching down our current path, the state of cyber security will be just the opposite — one of total insecurity. It’s time we took the human-centered design principles of innovation and entrepreneurship and applied them to security.
Cyber Security Today
As it stands, modern cyber security is extremely inconvenient. If I want to avoid risk of data theft (or as much as possible, at least), I have to download privacy plugins, set up a Virtual Private Network (VPN), and install messaging apps with end-to-end encryption. If I want to make my accounts as safe as possible, I need to create strong passwords, vary them significantly between accounts, and configure multifactor authentication. In short: if we want to be safe in our online world, we have to go out of our way to do it.
Sure, if we want to remain totally “off the grid” like a rogue hacker from a Hollywood film, then it’s going to require some technical maintenance. But we shouldn’t have to do this much work to achieve a baseline level of security in the first place. Security is time-consuming; it’s rarely the default option; it’s pitted directly against convenience in software design; and so on and so forth.
“Practical Human Security”
With a friend and peer, I just co-authored the series “Practical Human Security” to this end. We challenge the current state of security education and training (or lack thereof), combining knowledge in cyber security, cyber psychology, social engineering, systemic theory, Bloom’s taxonomy, learning theory, behavioral economics, and the decision sciences.
By understanding cognitive and cultural biases, we argue, organizations can fundamentally change how safely and securely their employees behave when in cyberspace. Our series isn’t the focus of this article, though (although you can read the first piece here, the second piece here, and the third piece here); instead, I want to draw the entrepreneurial community’s attention to this need — human-centered cyber security. Through leveraging innovative principles of ethnography, rapid prototyping, and human-centered design, we can drastically improve everyone’s security behavior (not to mention make some money in the process).
Ethnography and Convenience
Ethnography — the systematic study of people and cultures — has recently emerged as a popular (and effective) technique in product design. By analyzing situations from a user’s perspective, we’re better able to understand their drives, desires, and “pain points,” all in the service of a better customer experience. This is incredibly powerful; as Tim Brown puts it,
“Empathy is at the heart of design. Without the understanding of what others see, feel, and experience, design is a pointless task.”
Leveraging ethnography has allowed countless entrepreneurs to design better products that users are more likely to buy. Contrast this with the cyber security experience of your average user, though, and it’s easy to see why the human is not the center of design; in fact, the human is largely not considered at all. Security is pitted directly against convenience and is designed without any regard to our biases and predispositions; it’s unnatural. This needs to change. By understanding how employees, customers, and citizens in general use their devices — and by empathizing with what drives those experiences — we’ll be better able to engineer convenient security practices.
Defaults and Security-by-Design
Another element touched upon in our article series is the power of defaults. Because of status quo bias, our aversion to putting effort into change, us humans are likely to stick with the default option among any set of choices. Economists Richard Thaler and Cass Sunstein demonstrated this in their book Nudge with everything from college dining buffets to corporate 401K plans.
The vast majority of digital technology is not secure-by-default. From smartphones, tablets, and wearables to surveillance cameras, servers, and IoT devices, many of the machines our society relies on day-in and day-out come insecure out-of-the-box. Default passwords are weak; basic security features are overlooked; multi-factor authentication and encryption have to be manually activated, and more. Inconvenience is the name of the game.
Most people stick with this default — cyber insecurity — because it’s what tech developers give them. But by changing this paradigm in favor of the human (which we specifically outline in our articles), the world will become more cyber-secure because technology is, by default, more cyber-secure.
While it’s still an underappreciated and grossly understaffed space, cyber security is critical to our digital world — from political systems to global economic markets. For those who enter with innovative ways to make it better, there’s a lot of money to be made.
To that end, we need to fundamentally rethink how we approach security. This goes for tech developers, policymakers, academics, educators, students, and entrepreneurs alike. We need to ethnographically study human cyber behavior to understand what humans desire from technology. We need to apply an innovative mindset to security, and not give up just because “everything gets hacked sooner or later.” It’s time we remember the human, and remember that we need to be the center of security.