Cyber security is an important issue that affects everyone. Governments, businesses, and individuals all need to be aware of the dangers and take steps to protect themselves. Historically, cybersecurity practices focus on technology or the technical aspects of cybersecurity. Security engineers work on reducing vulnerabilities across systems, codes, and applications. But cybersecurity is much bigger than just machines; it is a socio-technical problem involving complex interactions between humans, society, and technology.
According to the Computing Research Association’s Computing Community Consortium (CCC), “a socio-technical approach to cybersecurity recognizes that the science and technology deployed to protect and defend our information and critical infrastructure must consider human, social, organizational, economic and technical factors, as well as the complex interaction among them, in the creation, maintenance, and operation of our systems and infrastructure.”
Why technology is not our weakest link
Over the ages, technology has evolved to protect every aspect of our digital world. Parallelly, threat actors have evolved in their ploys to exploit vulnerabilities. Creating a safe and effective community is a complex process that requires an understanding of both the technical and social dimensions of information security. A sociotechnical approach to cyber security offers the potential to deliver security that works in the real world, by taking account of the social and technical factors that affect people’s behavior and the way technology is used.
Understanding and implementing a socio-technical system for cybersecurity is a work in progress. To this effect, the National Cyber Security Centre (NCSC) has published a sociotechnical problem book. Their Sociotechnical Security Group (StSG) team is dedicated to helping people and organizations make better cybersecurity decisions. Anyone can contribute to the nine socio-technical challenges highlighted in the document:
- How can we incorporate cybersecurity into business decision-making?
- How do we gather, analyse, and apply cybersecurity data to best effect?
- How can an organization survive a cyber breach more effectively?
- How can security contribute positively to an organization’s culture?
- How can we understand security in complex interconnected systems?
- How can we engineer systems with both security and usability in mind?
- How can we reason effectively about cyber risk in conditions of uncertainty?
- How can we support individuals to be secure in their daily digital lives?
- How can incentives and interventions be used effectively to improve cybersecurity?
To even begin answering the questions, we must first understand the factors that control our socio-technical systems, namely:
- People – From social engineering to insider attacks to plain human carelessness – the most frequent attacks are those involving human vulnerabilities. According to the 2022 Cost of Insider Threats Global Report, a negligent employee is the root cause of most incidents (56%) and the costliest ($15.4 Mn annually).
- Processes and tools – Cybersecurity processes or tools are a double-edged sword. While on one hand, the security tools secure organizational data, on the other, it tends to slow down operations and also decrease usability. Some organizations might adopt user-friendly security procedures over stronger policies. For example, a physical key or an online password for login instead of a biometrics system.
- Organizational policies – Every organization has some form of security policy and procedures in place. At the same time, failure of organization procedures is a commonality. This could be due to employees not following all the rules or even poorly designed procedures. Why is that so? Leaders would need to assess their policies and see what is missing. – Are we not effectively communicating our security policies? Are these policies enforced successfully? According to HBR, “a cyber-aware culture starts at the top”. From CISOs to CFOs, the priority is to ingrain security right from the top management and communicate the same across the organization.
- Technology – The evolution of technology is a double-edged sword for the industry. While emerging technology like artificial intelligence (AI), Internet of Things (IoT), and machine learning are redefining the business landscape, the same technologies also allow hackers to exploit system vulnerabilities. This game of chess is all about staying one step ahead by preparing against anticipated threats. Investing in new/advanced technologies, such as cloud-based security, is one way. But proper deployment requires a holistic process and a comprehensive governance policy that consolidates tools, workflows, and processes. CISOs must ask if they are leveraging technology appropriately. The end results of cybersecurity technology must be to reduce complexity, improve process productivity, and enhance threat detection.
Only by understanding how these different factors interact can we hope to create a resilient security system for our organizations. However, this approach is not without its challenges. Experts warn of advanced persistent threat (APT) as the biggest threat to implementing sociotechnical systems. APT is notorious for being stealthy and repeatedly exploiting vulnerabilities from within the network or through social engineering attack vectors. These highly targeted attacks are goal-oriented and relentless in their pursuit of stealing data and/or compromising information systems. For instance, Russian state-sponsored actors are known to exploit system vulnerabilities that go as far back as 2004, with Fancy Bear affecting Microsoft, Adobe, and Oracle systems. APT is also a huge threat in the healthcare sector. Their damaging impact can be seen as APT actors took to exploiting healthcare systems during the COVID-19 pandemic.
There is a gap between what our information security policies tell us to do and what multiple stakeholders actually do. Understanding the complex socio-technical systems requires effective artificial intelligence models and simulations to help organizations design, build, and implement better security systems. These tools would need to address the various facets of social dynamics and interrelate with technical components.