The human element of security are humans the weakest link

  • 格式:pdf
  • 大小:35.99 KB
  • 文档页数:2

The human element of security: are humans the weakest link?

Marcus Nohlberg, marcus@nohlberg.com

School of Humanities and Informatics, University of Skövde

Outline of objectives

The goal with this research is to learn about a not well researched approach to security, one that this

researcher, and several other researchers and professionals, believes to be of a great importance, even

if it often is overlooked for a number of reasons. As this field of research has not been extensively

researched before, knowledge from other disciplines should be used, and synthesized into new

knowledge. There should be a methodology developed for testing in order to see what extent the

problem has, and also to see if the protections, that also should be developed, actually work.

While research on the human element of security is complicated, lined with ethical dilemmas, and

perhaps by some even seen as not purely belonging in the field of information security, this study is

not only relevant, as shown by the literature, it is in fact perhaps even crucial. Because it is difficult,

because it is “un-pure”, because there are complications, that is why there are such weaknesses today!

Only if we embrace the area and try to learn from what is hard, and outside of our areas of expertise,

can we prevent this attacks and bridge the gaps of our knowledge.

Stage of the research

The author has done two preliminary studies, resulting in papers being published (Nohlberg, 2005

& Åhlfeldt & Nohlberg, 2005), and has completed all the mandatory courses needed for a PhD student

in Sweden. Currently the author is working on methods and on trying to validate if the overall research

objective and goal are relevant, thus making it possible to start the actual process of more concentrated

research.

When this is approved, the focus will be on actual research into the areas presented below.

The author is an industrial PhD-student, affiliated with the University of Skövde, and the company

Siguru (www.siguru.com), that specializes in solutions for information security management.

Research problem

This author’s research is about the human element of security. More precisely it is about attacks

specifically aimed against human weaknesses, so therefore it is not about chiefly technical attacks; it is

not about the errors humans do that can influence security. It is mainly focused around a technique

called social engineering. The greatest threat to security is that no matter how secure the system is in

itself, it is never more secure than its users.

Social engineering is used because it is often much easier to simply ask someone, a mark, for

information, than to prepare and conduct a complicated software or hardware attack (Granger, 2001;

Mitnick, 2002). While a social engineering attack typically is aimed against a limited amount of

people, some of the same psychological techniques can be used against a greater number of marks

when deploying for instance by e-mail using spam techniques. This approach is called Phishing.

“Phishing can be described as the marriage of technology and social engineering”. (Jakobsson, 2005,

pp. 3).

There are, thus, attacks aimed specifically towards humans and human behavior, using deception

and psychological triggers to make people comply with the wishes of the attacker. That the attacks are

potentially highly successful are argued by for instance Mitnick (2002), Hasle et al. (2005), Grazioli

(2004), Ogrill et al. (2004), Barrett (2003), Nohlberg (2005), Jagatic et al. (2005) etc.

Approach

In order to learn more about what the human element of security is, this author has separated the

field into three separate areas. The first area is “Knowing”, which is about actually learning more

about the field, what factors influence and, perhaps more importantly, what can be learned from other

areas of research. The second field is “Measuring”, dealing with the complexity and ethical dilemmas

of measuring human security. The third area is “Preventing”. While it is obviously relevant both to

know and measure a threat, in order for it to have a real world use, techniques for prevention are

crucial. The typical recommendation for protection today is education, argued by, for instance,

Mitnick (2002). While it is quite possible that education is the best approach for protection, it still

leaves a lot of questions to be answered, such as what is the best approach to educating about the

human element of security and attacks against it?

The three areas can be concluded into three research questions about the human element of security:

1. What is the human element of security?