# Writeup 0: Human Factors in Cybersecurity ###### tags: `Cybersecurity`, `Social Engineering`, `Human Factors` --- <div style="text-align: justify"> When it comes to cybersecurity, algorithms and software act as our primarily lines of defense. We are often concerned with fortifying said algorithms and implementing more robust protocols. However, the weakest link in this chain of defense is not found in lines of code or cryptographic keys—it's us, humans. Despite constant efforts made in the development of security systems, the "human" factor is one problem that almost always seems to persist. No matter how intricately designed a security system may be, it can never be free from the influence of human factors. Regardless of whether you're storing your data in a server in some "safe" data center or storing a 30-character password with all your waifus' names in a hidden notepad file, the risk introduced by our human nature always looms in the distance. <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/BkjHPw7oT.jpg" alt="cyberkek"> </div> With that being said, let us delve deeper into the implications of human factors and its relationship with computer security. **Mental Shortcuts and Biases:** It is a natural part of human nature to constantly seek efficiency and rely on mental shortcuts. This remains true especially when it comes to storing long passwords. Attackers exploit these by crafting messages that appeal to our ingrained biases. For example, a phishing email might leverage urgency bias by claiming your account is locked "unless you act immediately," triggering a panicked response that bypasses critical thinking (Gupta & Jain, 2020). It is nature for people to like convenience. In fact, humans are susceptible to cognitive biases like heuristics, which is an act that makes the problems simpler and avoid mental overload. This preference to make things simple may lead to overlooking of security measures, creating vulnerabilities. **Manipulation Tactics:** We are emotional creatures, and sometimes attackers understand how to manipulate and exploit our emotions (Purvis et al., 2017). Strategies that capitalize on human emotionality can be effective, especially to those who are not very familiar with the internet. A common example of this is when an ad displays an enticing message like "You just won a new iPhone 15!". In hindsight, this might seem ineffective, but it does pose a threat to unaware victims (most likely those of the older demographic), since it can pressure victims into making rash decisions, not knowing they've just clicked a malicious link and/or introduced malware into their system.(Shute et al., 2018). <div style="text-align: center;"> <img src="https://hackmd.io/_uploads/BJOITj7jT.jpg" alt="gramma"> </div> </br> In addition, trust is also a core part of human emotions that is prone to manipulation. Familiarity breeds trust, and attackers exploit this by mimicking legitimate software, websites, or even email addresses from known contacts (National Institute of Standards and Technology, 2020). A seemingly harmless notification from "your bank" can easily trick someone into entering personal details, unknowingly granting access to their data (Shute et al., 2018). **Phishing Schemes:** We often seek information that confirms our existing beliefs, making us vulnerable to phishing attempts that align with our hopes or expectations (CISA, 2023). An attacker posing as a recruiter might exploit someone's job search by offering a dream opportunity, bypassing skepticism due to the strong desire for the outcome (Anderson, 2019). **Social Influence:** Humans are social creatures, influenced by the behavior and expectations of others. Attackers leverage this by creating a sense of urgency or conformity. A phishing email claiming everyone in the office has already clicked on a link can pressure someone into doing the same, fearing social exclusion (Talukder, 2020). Falling victim to these traps can have significant consequences. Unaware individuals might expose sensitive data, download malware, or contribute to data breaches, impacting both themselves and their organizations. Hence, understanding these vulnerabilities is crucial. Building security awareness through training, promoting healthy skepticism towards unsolicited messages, and implementing multi-factor authentication can help mitigate these risks. By recognizing our limitations and adopting responsible online behavior, we can navigate this digital landscape more safely. </div> </br> # Economic Repurcussions <div style="text-align: justify"> When large organizations handle the data of millions of people, security becomes more than just a necessary investment; it becomes a priority. Throughout history, the cyberspace has experienced attacks that have consequently resulted in not only the endangerment of data, but also damages to their economy. Below are a few examples of cyberattacks that have occured in recent history: **Yahoo Data Breach** One of the most well known cyberattacks in history was the Yahoo data breach which took place around 2012-2013. The Yahoo data breach settlement website states that their cybersecurity issues were prevalent from 2012-2016, while information started getting stolen during 2013. It is also mentioned that during 2014, hackers directly targetted Yahoo's user database, which affected around 500 million people. These hackers were able to obtain account details such as names, emails, addresses, passwords, and more. How did the hackers infiltrate a large company such as Yahoo? Apparently, all it took was one employee who clicked a malicious link. Hackers were eventually able to crack down on the rest of the data (including confidential). This small hiccup in their security lost them around $117.5 million in a settlement for the aforementioned incidents. (Matthews, 2019) **Genshin Impact's "Weak" Security** In a more recent event, HoYoverse, developers of Genshin Impact, also suffered from a cyberattack around June 2023. A user leaked multiple confidential images which were directly tied to future content in the game's upcoming updates. These images primarily consisted of concept arts which gave everyone a glimpse of upcoming characters and playable areas. This indirectly affects sales (especially for a gacha game) since players would get a glimpse of future characters and thus, manage their ingame currency better. This leads to scenarios where players would no longer have to get a sense of FOMO (fear of missing out) since they already know who they want in future updates. The leaker called the company out for refusing to tighten their security, despite being a multimillion company. To put things into perspective, Genshin Impact generates millions upon millions of revenue with each major update due to their massive and still-growing fanbase. This incident goes to show that sometimes, people become too complacent with their business without paying attention nor investing in their cybersecurity options, making them lose on potential profit. (Orr, 2023) </div> # Unveiling Vulnerabilities and Solutions <div style="text-align: justify"> To have effective human education and awareness regarding computer security, it is important to consider such cognitive biases in order for humans to evaluate information critically. A careful approach is required to avoid oversimplifying or neglecting key concepts due to heuristics. **Balancing Security and Convenience** <div style="text-align: center; margin-bottom: 20px;"> <img src="https://hackmd.io/_uploads/BJVXFdmj6.png" alt="balance""> </div> While technical defenses are very important, human factors significantly impact computer security. Oversimplifying threats or neglecting key cognitive biases like heuristics can leave users vulnerable. Effective communication and training programs become essential to bridging this gap. Structured training tailored to user roles and needs can educate employees on the necessity of robust security measures, reducing resistance and fostering a security-conscious culture (Know How, 2023). However, achieving this requires striking a balance between security and convenience. **Continuous Improvement Through User Feedback** <div style="text-align: center; margin-bottom: 20px;"> <img src="https://hackmd.io/_uploads/BJdrKdXj6.png" alt="education""> </div> Complex security measures can only be counterproductive if they are clear and convenient for users. User feedback becomes crucial in this context. Establishing a culture of continuous improvement allows for iterative adjustments based on user insights, aligning security requirements with user expectations. This can be achieved through methods like simulated phishing attacks to assess susceptibility and provide personalized feedback (Tschakert & Ngamsuriyaroj, 2019). <div style="text-align: center; margin-bottom: 20px;"> <img src="https://hackmd.io/_uploads/SJ7PKdmoT.png" alt="example" style=" height: auto;"> </div> For instance, let’s imagine a company with an intricate security system that meticulously safeguards cryptographic keys and sensitive information. While the system employs advanced encryption and multi-factor authentication, its complexity creates a challenge. Employees, aiming for streamlined and convenient work processes, are confronted with a complicated system. They seek efficiency and ease in their tasks. However, the existing security measures present a convoluted process. Due to the complexity, people end up doing tasks outside of the standard procedures. Employees may resort to workarounds or shortcuts to navigate the intricate security system. This unintended consequence poses a potential risk to the security of the sensitive information the system is designed to protect. **Staying Ahead of the Game** While these solutions like user-friendly designs and good training are solid steps in tackling the human factor in computer security, let's be real – is it really enough to beat these human-related challenges? Cyber threats are always changing, and people can still fall for tricks and manipulation. So, on top of good training, we've got to keep digging into how people think and updating our security game. It's like staying on top of the latest trends but for computer safety. Plus, we need to make sure our security rules are always getting better. It's not just a one-time thing; it's an ongoing effort to stay sharp and ahead of the bad guys. So, while we're on the right track, it's a combo of staying smart, staying updated, and always being ready to adapt. </div> # Conclusion <div style="text-align: justify"> The cyberspace allows us to tap into technologies that make data management and storage a seamless experience. Advancements in ensuring their security are being made each day. However, despite the rise of more robust algorithms and software, the risk that comes with our own humanity will never cease to exist. With that being said, it is important to take note of our own capacity for producing errors. We should keep an open mind and actively look to learn the necessary tools and skills that help us exercise utmost caution to prevent cyberattacks, data breaches, leaks, and more. Human errors will always exist, so it is in our best interest to do our best to mitigate these. </div> *References* Anderson, R. (2019). Security engineering: A guide to building dependable distributed systems (3rd ed.). John Wiley & Sons. CISA. (2023). Stop Ransomware. CISA (.gov). Retrieved from https://www.cisa.gov/stopransomware: https://www.cisa.gov/stopransomware Gupta, B. B., & Jain, A. K. (2020). Phishing attack detection using a search engine and heuristics-based technique. Journal of Information Technology Research (JITR). https://www.igi-global.com/article/phishing-attack-detection-using-a-search-engine-and-heuristics-based-technique/249219 Hutchins, E. M., Cook, M., Jordan, J., & Farrell, A. (2017). Malware analysis tools and techniques. Manning Publications Co. Know How. (2023, August 27). Security Awareness training. Implementation. https://www.linkedin.com/pulse/security-awareness-training-implementation-know-how-plus/ Matthews, K. (2019, October 7). IOTW: Multiple yahoo data breaches across four years result in a $117.5 million settlement. Cyber Security Hub. https://www.cshub.com/attacks/articles/incident-of-the-week-multiple-yahoo-data-breaches-across-4-years-result-in-a-1175-million-settlement National Institute of Standards and Technology. (2020). Special Publication 800-63-B Revision 2: Digital Identity Guidelines. National Institute of Standards and Technology. Orr, J. (2023, June 20). Genshin impact leaker calls out developer’s weak security, clout chasers while dropping Fontaine details. Eurogamer.net. https://www.eurogamer.net/genshin-impact-leaker-calls-out-developers-weak-security-clout-chasers-fontaine-details Purvis, M., Vu, K.-P. L., & Dwivedi, Y. (2017). User behaviour & social psychology in information security: A systematic literature review. ACM Computing Surveys, 50(4), 1-58. Shute, S., Grasz, V., Egelman, S., & Schweitzer, M. (2018). Psychological manipulation on the web: The persuasive trust fallacy. In Proceedings of the 26th ACM Conference on Human Factors in Computing Systems (CHI '18) (pp. 1265-1272). Talukder, S. (2020). Tools and techniques for malware detection and analysis. https://www2.cs.siu.edu/~stalukder/publications/Malware_Survey.pdf Tschakert, K. F., & Ngamsuriyaroj, S. (2019). Effectiveness of and user preferences for security awareness training methodologies. Heliyon, 5(6), e02010. https://doi.org/10.1016/j.heliyon.2019.e02010 ---