“People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.” This quote is from the book Secrets and Lies: Digital Security in a Networked World, written by well-known cybersecurity expert Bruce Schneier and first published in 2000.
Some experts, including Ciarán Mc Mahon, Ph.D., a faculty member at University College Dublin and director of the Institute of Cyber Security, suggests that quote is why the adage “humans are the weakest link” is part and parcel to the digital world.
“While its intellectual origins predate the industry by several decades, if not centuries, for our present purposes we need go back no further than the beginning of this millennium,” writes Mc Mahon in his July 2020 Frontiers in Psychology article In Defence of the Human Factor. “Since then, cybersecurity discourse has been awash with this cliché.”
Chains consist of more than one link
Mc Mahon begins by asking us to consider “information security” as a chain. “I don’t think it unreasonable to deduce that this chain is intended to be protecting the assets, information, and finances of some organization,” he submits. “Apart from the ‘human factor,’ this chain comprises technical, physical, or similar synthetic links.”
If we humans are the weakest link, that means the other links in the chain–hardware and software, for example–are more robust and more secure. To put it simply, computers don’t make mistakes, people do.
SEE: Shadow IT policy (TechRepublic Premium)
Does this argument hold up under scrutiny?
Technology may not make mistakes, but it seems to have issues according to well-known technologist and writer Quinn Norton. “Everything is broken,” writes Norton in her The Message article Everything is Broken. “It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire. Computers, and computing, are broken.”
To back Norton’s contention, Mc Mahon offers Apple’s mobile operating software as an example: “Between 1 January and 31 December 2019, Apple released ~20 security updates to its most recent versions (i.e., 12 and 13) of its mobile operating system, iOS.”
To drive his point home, Mc Mahon expresses wonder at why we tolerate flawed software. “In any other sphere of consumer activity, this level of patching would not be tolerated,” contends Mc Mahon. “Imagine telling car owners that they must fix their car practically every fortnight if they want to keep driving it safely. And if accidents occurred in such a scenario, would we blame the stupid drivers?”
What is human error?
Getting back to people being the weakest link, the current go-to reason for us being the weak link is human error. When it comes to human error, there is an incredible number of definitions from which to choose. Wikipedia offers the following:
“Human error refers to something [that] has been done that was ‘not intended by the actor; not desired by a set of rules or an external observer; or that led the task or system outside its acceptable limits.’ In short, it is a deviation from intention, expectation, or desirability.”
That sounds simple enough, but there is a whole slew of academics who are willing to tell you that human error is a meaningless concept. Erik Hollnagel, Ph.D., a leading safety expert, offers the following suggestion in his paper The NO view of ‘human error’:
“The ‘no view’ simply says that ‘human error’ is not a meaningful category and that we therefore should stop using it. The argument is that all human activity–individually and/or collectively–is variable in the sense that it is adjusted to the conditions. The variability is therefore a strength, indeed a necessity, rather than a liability.”
Hollnagel uses software detection of phishing attacks as an example. He contends that a sufficiently trained user would be more apt to spot a new phishing attack than technology.
Hollnagel doesn’t leave us, humans, off the hook, though. “We still need, of course, to account for the variability of human performance,” Hollnagel adds. “One example of that is provided by The ETTO Principle.”
Based on the Wikipedia definition, the efficiency-thoroughness trade-off principle (ETTO principle) explains that “there is a trade-off between efficiency or effectiveness on the one hand and thoroughness (such as safety assurance and human reliability) on the other. In accordance with this principle, demands for productivity tend to reduce thoroughness while demands for safety reduce efficiency.”
Questions to consider regarding humans and cybersecurity
Mc Mahon is adamant about removing the finger-pointing. He created the following list of questions we should ask when we hear someone suggests that human beings are the weakest link:
What are the other links in this chain, and how secure are they?
Has the human been automated out of the system in question?
Am I blaming the victim of a crime? Am I treating end users fairly and transparently?
Fundamentally, why are we pushing such a pessimistic vision of human capability? Who exactly are we serving with such a message?
Mc Mahon and Hollnagel both point out humans, instead of being the weakest links, may be the most vital link when it comes to attacks that are always morphing, in particular those aimed directly at humans.