Human Factors in Computer Security

# Human Factors in Computer Security *by Justine N. Gudito & Sam Bondj A. Tupa* ![OIG2](https://hackmd.io/_uploads/SJbpxU7ia.jpg) *Generated with AI* Computer security is vital in today's digital era, focusing on safeguarding computer systems from unauthorized entry and the users themselves to ensure confidentiality in an era where cyberattacks and data breaches are proliferating. Additionally, it aids in preventing harm and maintaining the integrity of processed and stored information. Numerous aspects are pivotal in computer security, particularly in its technical domains like encryption algorithms or firewalls. While these elements hold great importance, there's another equally crucial aspect often overlooked—the human factor. Human factors in computer security encompass the influence of human behavior, psychology, and interactions on system security. These factors can greatly affect the efficacy of security measures and the susceptibility of systems to cyber threats. ### Humans as the Weakest Link >[BREAKING MEOWS?!!] ![cat](https://hackmd.io/_uploads/SkZU7D7jT.png) To Err is Human… A phrase that encapsulates the idea that making mistakes is a natural part of being human. It reminds people to be compassionate to other people’s errors and recognize their fallibility as a means of learning experience. However, in the context of computer security, this poses a threat to the integrity and confidentiality of data and systems. One error alone can result in devastating consequences such as data breaches, financial losses, and damage to an organization's reputation. Thus, it’s easy to label humans as the weakest link in computer security. Furthermore, computers in itself do not “think” nor “act” on their own. It still heavily relies on the algorithms programmed by the people behind it or the users' input to achieve its intended purpose. Although some computer systems or software are flawed by design, it would still be logical, as evidenced by numerous security vulnerabilities exploited and attacks attempted. However, the same things cannot be said for humans. This is because humans are complex beings often thinking for themselves and making decisions that are sometimes rational or irrational. ### Convenience Over Security *Wagner et al. (2023)* stated that "Users prioritize convenience; if a security system is difficult to use and not user-friendly, regardless of its level of security, it will go unused. Users will seek ways to bypass security systems if it simplifies their lives." This highlights the common dilemma of balancing security with convenience. High-security measures can often be challenging for users to navigate, especially in the case of complex authentication systems and numerous procedural requirements, leading to frustration and a desire to circumvent security measures. The preference for convenience among users stems from several factors. Firstly, many users lack awareness of the potential risks and consequences associated with insecure systems or practices. Some may underestimate the likelihood or severity of cyberattacks, while others may need more knowledge on how to safeguard themselves and their data. Additionally, some users may harbor a false sense of security, placing unwavering trust in the system. For example, consider a scenario where a website requires users to create and remember complex passwords or undergo frequent authentication requests. In such cases, users may become frustrated and seek alternative methods to bypass these security measures, inadvertently creating vulnerabilities. Furthermore, the complexity of security systems plays a crucial role. Security systems must be designed in a manner that is easily comprehensible and user-friendly. Moreover, users prioritize efficiency and often choose the quickest method to complete tasks. When a security process is seen as time-consuming, users may resort to shortcuts or workarounds, even at the expense of security. Security systems must strike a balance between usability and protection, ensuring they are user-friendly and comprehensible. Otherwise, users may disregard security measures altogether, heightening the risk of security breaches. ### Social Engineering Aside from preferred convenience, another cause of potential security breaches are social engineering attacks and scams. The term social engineering mainly refers to the act of exploiting the psychological vulnerabilities of a person to provide attackers with sensitive credentials and gain unauthorized access to protected systems. This kind of attack is arguably difficult to detect and prevent because it relies on human-to-human interaction rather than the technical vulnerabilities of a system. At its core, social engineering attacks leverage emotional manipulation, exploitation of trust, and a false sense of urgency. Thus, in most human-to-human interactions, the person being manipulated is never aware that they are already being psychologically attacked. The attackers will always prey on their subconscious cognitive biases and emotional responses, making them difficult to recognize at the moment. The attacks may come in many different forms, with the most common types of social engineering including phishing, baiting, and pretexting, among others. Firstly, phishing involves deceptive emails, messages, or websites designed to trick individuals into revealing personal information or downloading malware. A shared experience among Filipinos involves receiving emails or texts purportedly from local banks such as BDO or BPI, that request urgent verification of account details due to purported security concerns. These emails or texts often contain links to fake login pages designed to steal users' credentials, leading to unauthorized access to their bank accounts. Similarly, baiting also exploits individuals' desire for gain by offering enticing rewards or freebies *(I mean who doesn’t LOVE exclusive discounts or freebies? Especially when it comes from a “non-suspicious” advertisement I might add).* Furthermore, pretexting is where attackers attempt to fabricate false scenarios to manipulate individuals into disclosing sensitive data. This could happen when someone is posing as a customer service representative and contacts unsuspecting customers claiming to resolve billing issues or offering exclusive promotions, all while extracting sensitive personal information for fraudulent purposes. Although the three examples only cover the psychological manipulation of social engineering, there are also other means of exploitation used by attackers to deceive individuals and breach security measures. One example is stalking one’s digital footprint where attackers can glean insights into their interests and preferences to create highly personalized and more convincing social engineering attacks. Overall, considering the current generation’s time with technology and/or handling scammers, it is unlikely for any individual to fall trap with these techniques. Nonetheless, it is unfortunate enough that there will always be someone out there who will fall victim to these kind of attacks may it be due to accident or a lack of awareness and understanding. ### Humans Understanding Level The level of user understanding significantly impacts computer security as a whole (*Cano, 2019*). Understanding encompasses not only knowing what to do but also understanding why it's necessary. It's not just about creating strong passwords but also comprehending the repercussions of doing so. This understanding can help users become more cautious about their online behavior, particularly regarding the data they share, and make more informed decisions about security. Numerous instances have occurred due to a lack of awareness and understanding. For instance, in the Philippines, there has been a surge in scam messages spamming individuals' phone numbers from unknown sources (*The Freeman, 2023*). Despite widespread awareness of such scams, many still fall prey to mindlessly clicking on embedded links without fully comprehending the potential risks involved. Consequently, this has resulted in identity theft, financial losses like those involving GCash, and other detrimental consequences. Individuals with a low understanding level in computer security are more susceptible to cyber threats. They are more likely to engage in risky behaviors that compromise their information and the security of their devices, making them prone to falling victim to various cyber attacks such as phishing. Conversely, individuals with a high understanding level are better equipped to protect themselves against potential threats. They are more vigilant in detecting suspicious activities, implementing security measures, and staying informed about security trends and best practices. ### Mitigation Given the discussions above, it's evident that addressing the potential risks associated with human factors in computer security is crucial. Firstly, raising awareness through education is vital to help users understand security risks and adopt safer practices. This could involve various methods such as training sessions, social media campaigns, or educational programs in schools and communities (*Quarrie, 2020*). Secondly, developers should prioritize creating user-friendly solutions that balance security and convenience. This might involve simplifying authentication processes or improving user interfaces (*Scalzo, 2024*). Additionally, organizations need to implement strict policies to combat social engineering attacks. This includes establishing company-wide policies, providing employee training, and implementing effective technological safeguards (*IANS Faculty, 2022*). These measures are essential for protecting against cyber threats in today's interconnected digital environment. ### Conclusions In conclusion, human factors in computer security are an inevitable dilemma that still persists, making it the weakest link. This is because humans are prone to making mistakes and susceptible to manipulations. Moreover, the preference for convenience over security, coupled with the effectiveness of social engineering, further exacerbates these vulnerabilities. Even though fixing people’s nature of being fallible is impossible, it is imperative to address human factors in order to enhance overall security measures. This can be achieved through comprehensive education and awareness programs that highlight the importance of cybersecurity practices and the potential consequences of negligence. Additionally, the development and implementation of user-friendly solutions, coupled with strict organizational policies and protocols, can help mitigate the risks associated with human vulnerabilities. ### *References* *1. Cano, J. (2019, October 9). [The human factor in information security](https://www.isaca.org/resources/isaca-journal/issues/2019/volume-5/the-human-factor-in-information-security). ISACA.* *2. IANS Faculty. (2022, May 31). [How to prevent and mitigate social engineering attacks](https://www.iansresearch.com/resources/all-blogs/post/security-blog/2022/05/31/how-to-prevent-and-mitigate-social-engineering-attacks). IANS.* *3. Logic, F. A. (2024). [What is social engineering?](https://www.alertlogic.com/blog/what-is-social-engineering/) Alert Logic.* *4. Quarrie, N. (2020, September 3). [Cybersecurity in Education: What teachers, parents and students should know](https://bootcamp.berkeley.edu/blog/cybersecurity-in-education-what-teachers-parents-and-students-should-know/) | Berkeley Boot Camps.* *5. Scalzo, C. (2024, February 6). [Balancing convenience and security controls: Key strategies](https://www.onlinecomputers.com/2024/01/balancing-convenience-and-security-controls-key-strategies/). Online Computers.* *6. The Freeman. (2023, August 4). [Still there are scam texts](https://www.philstar.com/the-freeman/opinion/2023/08/05/2286414/still-there-are-scam-texts). Philstar.com.* *7. Wagner, D., Weaver, N., Kao, P., Shakir, F., Law, A., & Ngai, N. (2023). [CS 161: Computer Security](https://textbook.cs161.org/). UC Berkeley.*