[BreachExchange] How can online behaviour guide the future of security?

[Audrey McNeil]

http://techcitynews.com/2016/06/17/can-psychology-online-behaviour-guide-future-security/

We are constantly hearing that consumers are the weak link in security.
According to PwC, 50% of the worst breaches within enterprises last year
were as a result of inadvertent human error, and the figure is of course
far higher for personal online fraud.

Cyber criminals are well aware of the opportunity this security
vulnerability presents them with and are becoming smarter at taking
advantage of it. According to a report published this month, online scams
have rocketed 53% in the last three years, in Britain alone.

The simple response to this appears to be further education for consumers –
let them know the risks they face online and encourage them to follow
strict online practices. However, this of course has been attempted many
times over, with relatively little success.

There are a number of initiatives devised to encourage consumers to take
online security more seriously. The UK government’s ‘Get Safe Online’
initiative offers practical advice, including ensuring authentication
details are not shared with others, frequently changing log-in details and
using strong or complex passwords. In fact, as a society, we feel we have
all the education we need regarding online security – 80% of us believe
that we can stay safe online, according to Ofcom.

We recently launched a study into the psychology of our online behaviour,
to help us to uncover just that. What was abundantly clear was that we
would be wrong to assume that our habits online are a sign that we don’t
care about our online personal data – 90% of us admit that we would feel
‘upset’ if a stranger gained access to our digital data, including online
banking details and social media details.

We identified some of the key online behaviour traits we display on a
regular basis: Just 29% of us always choose to log out when given the
option to ‘stay logged-in’ online. This was a lot lower among 18- 24
year-olds (9%). Our research also found that some 37% of us have shared our
online log-in details with a friend or partner and that 10% have even
shared online banking credentials.

The convenience factor

The convenience factor stood out as a key driver of this behaviour.

We choose to complete many of our daily tasks online (whether that’s
messaging, shopping, banking, posting photos) precisely because we want the
ease, speed and friction-free experience of using a digital device over a
paper trail or physical interaction.

Multiple log-ins and authentication hurdles are simply a frustrating
barrier to the end goal.

Online behavioural psychologist Nathalie Nahai helped us to explain the
psychology behind this behaviour: “Our behaviours don’t always match up
with our beliefs, and although we are attached to our online identities and
believe that it’s important to protect them, the reality is that the effort
can feel too great.

“Every action we take requires cognitive effort, and those that are more
complex (such as remembering site-specific passwords) are also more
mentally taxing. This is why we often take shortcuts,” she said.

What are the risks?

Our study uncovered just how easy it can be to take advantage of lax
security practices.

More than one in 10 of us has taken a peek at our friends’ ‘logged-in’
online accounts, including email, Facebook and WhatsApp – without our
friend’s permission.

We even admit to posting content, changing information and messaging
contacts, all under the guise of someone else.

This identifies a clear flaw in the security processes involved with a
number of our daily digital interactions.

If the legitimate user has confirmed that they are who they say they are at
point of log-in, imposters (friendly or otherwise) are able to pretend to
be the legitimate user by gaining access during the session.

Time to re-think security

We know full well that sharing passwords is bad practice, but when we’re
trying to pay a friend back for dinner, while sitting on a train and
simultaneously eating our lunch, our focus on security tends to slip.

Clearly, placing the burden of safeguarding data on the individual isn’t
working. It’s time that digital service providers took the reins. If their
business models are focused on streamlined, easy access to services, they
need to build in security processes that enable this.

Behavioural biometrics is an example of ‘new era’ security, which fits
around the reality of how we operate online. Analysing our unique
behaviour, including the angle at which we hold our devices, our typing
speed and pressure, this technology is able to identify whether the person
is who they say they are throughout the duration of the session, not just
at point of log-in.

An outsider may have the authentication details of the legitimate user, but
the machine learning algorithm is able to use artificial intelligence to
identify that the user displays different behaviour – marking them as an
imposter.

We choose to take security risks online, in-spite of cyber security
education and guidelines, not because there is a lack of it. Digital
providers should use our unique online behaviour to their advantage, rather
than maintaining the unrealistic expectation that we will each conform to
idealistic, uniform behaviour.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160617/7f245203/attachment.html>