At the recent NCSC One cybersecurity conference in The Hague it was on the big screen again: “people are the weakest link”! It appeared that especially users are fools who click on any link they can get their mouse on, connect their devices with any open wifi and in general don’t understand the slightest bit (or byte) about the delicate digital world. They make that world an unsafe place, with their curiosity, greed, lack of knowledge and laziness. Hey, even hackers use bad passwords!
Having worked in information security for quite a while, I tended to agree with the statement, but with a certain amount of uncertainty. Why are there so many other drivers for vulnerability in cybersecurity? Think of the many structural weaknesses in all layers of ICT and the increasing complexity of individual ICT components and ICT environments as a whole! Who is to say what is the weakest link of them all? And more problematic: if users are indeed the weakest link – and we have been saying that for quite a while – why haven’t we found a way to deal with that? People still are curious, greedy, unknowing and lazy. Ok, sometimes…
A thought then struck me and it stayed with me: users are people.  People have evolved only slightly the last seventy years. ICT on the other hand has evolved tremendously in this period! Could it be that we  – especially the ICT industry – have developed all kinds of technology that do not go well with known vulnerable human behaviour?
It would be interesting to see how we could make the use of ICT more secure by following the course of action of ordinary users. What would Pete or Maria do? Click on the hyperlink in the email message that interests them? Sounds pretty normal, but we don’t want Pete (nor Maria) to wander into a Watering Hole or drive-by-download website and infect our network. Can we prevent them from clicking? No, most probably not. People just do that, even security-savvy people. So the only real solutions seems to eliminate the possibility that the normal activity like clicking on a link causes danger for the users system or anyone elses. This is probably a technological intervention.
Easily said ofcourse, but that really is a big one… Seen in its full extent, that would imply cleaning up whole stacks of ICT, not just blocking Javascript or patch-up every week. That is a (too) huge challenge, as there is so much to fix. From not-exactly-100%-secure Internet protocols to information leaking apps. Apparently at the design, development and maintenance of ICT it is where things can be done better.
That brings up  a second thought: does this mean that we ICT (security) professionals are the real weakest link??
More on how to use user behaviour in a more positive way in the next blog!