The human element of security are humans the weakest link
- 格式:pdf
- 大小:35.99 KB
- 文档页数:2
The human element of security: are humans the weakest link?
Marcus Nohlberg, marcus@nohlberg.com
School of Humanities and Informatics, University of Skövde
Outline of objectives
The goal with this research is to learn about a not well researched approach to security, one that this
researcher, and several other researchers and professionals, believes to be of a great importance, even
if it often is overlooked for a number of reasons. As this field of research has not been extensively
researched before, knowledge from other disciplines should be used, and synthesized into new
knowledge. There should be a methodology developed for testing in order to see what extent the
problem has, and also to see if the protections, that also should be developed, actually work.
While research on the human element of security is complicated, lined with ethical dilemmas, and
perhaps by some even seen as not purely belonging in the field of information security, this study is
not only relevant, as shown by the literature, it is in fact perhaps even crucial. Because it is difficult,
because it is “un-pure”, because there are complications, that is why there are such weaknesses today!
Only if we embrace the area and try to learn from what is hard, and outside of our areas of expertise,
can we prevent this attacks and bridge the gaps of our knowledge.
Stage of the research
The author has done two preliminary studies, resulting in papers being published (Nohlberg, 2005
& Åhlfeldt & Nohlberg, 2005), and has completed all the mandatory courses needed for a PhD student
in Sweden. Currently the author is working on methods and on trying to validate if the overall research
objective and goal are relevant, thus making it possible to start the actual process of more concentrated
research.
When this is approved, the focus will be on actual research into the areas presented below.
The author is an industrial PhD-student, affiliated with the University of Skövde, and the company
Siguru (www.siguru.com), that specializes in solutions for information security management.
Research problem
This author’s research is about the human element of security. More precisely it is about attacks
specifically aimed against human weaknesses, so therefore it is not about chiefly technical attacks; it is
not about the errors humans do that can influence security. It is mainly focused around a technique
called social engineering. The greatest threat to security is that no matter how secure the system is in
itself, it is never more secure than its users.
Social engineering is used because it is often much easier to simply ask someone, a mark, for
information, than to prepare and conduct a complicated software or hardware attack (Granger, 2001;
Mitnick, 2002). While a social engineering attack typically is aimed against a limited amount of
people, some of the same psychological techniques can be used against a greater number of marks
when deploying for instance by e-mail using spam techniques. This approach is called Phishing.
“Phishing can be described as the marriage of technology and social engineering”. (Jakobsson, 2005,
pp. 3).
There are, thus, attacks aimed specifically towards humans and human behavior, using deception
and psychological triggers to make people comply with the wishes of the attacker. That the attacks are
potentially highly successful are argued by for instance Mitnick (2002), Hasle et al. (2005), Grazioli
(2004), Ogrill et al. (2004), Barrett (2003), Nohlberg (2005), Jagatic et al. (2005) etc.
Approach
In order to learn more about what the human element of security is, this author has separated the
field into three separate areas. The first area is “Knowing”, which is about actually learning more
about the field, what factors influence and, perhaps more importantly, what can be learned from other
areas of research. The second field is “Measuring”, dealing with the complexity and ethical dilemmas
of measuring human security. The third area is “Preventing”. While it is obviously relevant both to
know and measure a threat, in order for it to have a real world use, techniques for prevention are
crucial. The typical recommendation for protection today is education, argued by, for instance,
Mitnick (2002). While it is quite possible that education is the best approach for protection, it still
leaves a lot of questions to be answered, such as what is the best approach to educating about the
human element of security and attacks against it?
The three areas can be concluded into three research questions about the human element of security:
1. What is the human element of security?