The Anatomy of a Human Breach w/Data Scientist and Behavioral Psychologist Margaret Cunningham Part 1 - Ep. 48
Data Scientist and Psychologist Margaret Cunningham breaks down the "human" factors of a cybersecurity breach.
Episode Table of Contents
- [1:37] Anatomy and Cybersecurity Breach
- [5:21] Cybersecurity Breach and Psychology
- [8:41] Understanding Cybersecurity Breach and Human Limitations
- [14:07] Inadvertent Cybersecurity Breach Versus Malicious Cybersecurity Breach
- [17:42] The Value of Training
Introducing Our Guest Margaret Cunningham
Arika: We have Margaret Cunningham of Forcepoint, who's a data scientist at Forcepoint. Hi Margaret.
Margaret: Hi, how are you?
Arika: Good, good. Thanks so much for joining us this week.
Margaret: Yeah, thanks. It's really great to be here. I'm excited.
Arika: Well, Margaret, we call this podcast To The Point because we like to jump right at it and get to it. So our topic today is one that I think is incredibly fascinating. We're going to talk about the anatomy of a human breach, and I know this is something that you have spoken on before and that you've done a lot of work in.
Anatomy and Cybersecurity Breach
Arika: So, I'm excited to learn more because I guess I've never thought about anatomy and the human breach, probably, in the same sentence.
Eric: To our listeners, don't Google anatomy and human breach together. You end up getting a lot of pictures of people in pants.
Arika: That's a good tidbit. Thank you. We'll include that-
Eric: Always trying to help out the audience, Arika.
Arika: In our show notes. So, Margaret, some of the things I've seen that you've said are essentially, is that we really must focus on the connection between technology and humans. And we can't ignore this. And so if we start to focus on people and in terms of their actions, and look at security and technology from that standpoint, that's when we'll start really advancing how security is looked at going forward.
Arika: Tell me a little bit more about that position, because that's not always the way some people would think about the development of new cybersecurity technologies and innovations.
Margaret: Yeah. And so, full disclosure, I'm a psychologist, and I really love talking about people, so of course this is my focus. But every single day, in our personal lives and our professional lives, we're pretty much connected to some sort of device that has access to our personal data, our company's data, everything honestly, even where we are. So, if we don't start thinking about security from the human, instead of in terms of, what are the boundaries of this organization, we're missing a whole landscape of opportunity, and an opportunity to understand better how to protect against all of the traditional things we're looking to protect against in cybersecurity.
The Fusion of Work, Personal Life, and Security
Eric: I agree. I mean if you go back 20, 30 years, work was at work, home was home, your personal life was at home. Maybe you'd bring some papers home, but nothing like today. Today when you wake up and get ready to go to work, assuming you don't work at home, you need your car keys, you need your identification, your money. You need your devices though. Your computer is typically a laptop these days. Your cell phone, which has access to everything. I mean it's really. The fusion of both work and your personal life is incredible. But security has to be there at the same time.
Margaret: Yeah. I think a lot about airports. Many of us travel for business and pleasure, and if you just look around an airport, you can see hundreds of organizations having their employees log on to free WiFi. And we're all there. We're representing a global market at gate five.
Eric: Really the new office.
Arika: That's interesting. It's almost like it's a warehouse of all these individual companies plugging away. I've never thought about it like that.
Eric: But think about the vulnerabilities now, at the human level. Everybody's connected, everybody's working. People can look over your shoulder, they can access your systems, potentially. You're rushed, you're busy, you're probably stressed. You get an email and you may click on it regardless of what it says without even thinking, because you're thinking about your flight reschedule, you're thinking about missing a flight. Do I have time to eat? It's really accelerated the pace of business, but also the risk from a cybersecurity perspective.
Cybersecurity Breach and Psychology
Margaret: Yeah, and a lot of times companies say, "Well, we need to deal with negligent people on our network." And what's funny is, everybody's negligent sometimes. No one's perfect. Even though I know quite a bit about cybersecurity, I love this field, I'm in it, you are as well. However, we still make mistakes, because we cannot perfectly pay attention. We cannot perfectly remember all of the rules, and we don't always perceive what we're looking at as fraudulent or wrong. It seems real in the moment, from your handheld device. So we can have as much training and awareness as we get, which is hours per year for many organizations, but we still make mistakes because we're people.
Arika: And that's interesting, because I think especially with you being a psychologist, which I really want to know how a psychologist gets into cybersecurity, but I'll save that for the end. But I think about the day and age that we live in. I mean, we all are going a mile a minute. We're getting constant emails, text messages. Our attention spans are just extremely, extremely short. And I do believe as well, when it comes to security, I think we live, some of us live, in this safe zone where we assume, while my company has all of these firewalls and all of these protections in place, so when I get that email where it says...
Arika: I actually just got one last week through my company email that said something to the effect of, your Microsoft 365 account needs to be verified. And I clicked the link because it sounded legit.
An Accidental Click
Arika: And then probably an hour later there was an email that was sent out saying there was some of these emails that are going around, and do not click, under any circumstances. And I was like-
Eric: Did you tell anybody you clicked?
Arika: I didn't actually. Should have.
Eric: You didn't tell anybody?
Arika: Well they just said to go back and delete it, and then delete it out of your trash, so I did follow that. But I figured...
Eric: But you clicked the email link.
Arika: Well nothing happened, anyway, that I know of. Okay, I'll tell them today. But my whole point-
Eric: Arika, can we make a deal on air right now, that you'll go and tell IT?
Arika: I will.
Eric: That you clicked the link. It's okay. They'd rather know. But I think this brings up a good point, Margaret. Here we have a human, highly educated, in the business, understands, accidentally click the link. Knows she clicked the link. Arika, I hate to make the case on you here.
Arika: Can I say one thing in my defense, actually. I clicked the link from my cell phone, not from my computer.
Eric: So that's better?
Margaret: I got to tell you, so I've been asking this question when I do a talk on human error and usually I'm giving it to a room of people who are either experts in cybersecurity or very interested and I say, "Raise your hand if you've gone through phishing training or any other type of accidental clicking training and warnings." Everyone raises their hand.
Eric: Hold on, Margaret. I'm going to pause you for one sec. Arika, how many times have you gone through that training? I've got a couple of dozen myself.
Understanding Cybersecurity Breach and Human Limitations
Arika: Yeah, no, I've been through it. I actually went through it just very recently, since I'm at a new organization, so...
Eric: Back to you Margaret.
Margaret: So, you get the whole sea of hands in the air. Of course, I've done that training, weird psychologist lady. And then I say, "Can anyone in this room raise their hand and say they've never clicked on the wrong thing?" No one, not one room of people has had a single person raise their hand. And these are people who obviously did the training and I did it at a cybersecurity summit and no one could raise their hand and say, "Yeah, I've never made that mistake." So this is beyond training. It's beyond a lot of things. It's so much more about understanding humanness and what the limitations of our performance can be.
Eric: Talk about a little more about that. The limitations of our performance.
Eric: What do you mean?
Margaret: So, technically speaking, one of the other things that we get a lot of in cybersecurity is tons of alerts and alarms, a lot of false positives, especially if you talk to security analysts. And what's very interesting is people can only respond to a maximum of five to seven alerts at a time. And that's only if they're visual. So, we have these limited cognitive capabilities. We can only pay attention to a certain number of things at a time. Our memory can only hold a certain number of things at a time. Think about how hard it is to remember more than a phone number. And even then, with the phone number, we're going, "Five one two", and we repeat it and repeat it and repeat it, because we're limited.
Getting to the Root Cause
Eric: That’s me.
Margaret: You've got a lot of limitations, I hear.
Eric: I have so many. We'll get my family on board one day for the podcast. That would be great. [inaudible 00:10:52] I will be saying, let's get to the point.
Margaret: Yeah, so it's just one of those things where if we can understand what our limitations are, we can better create environments that promote human performance and promote secure, safe behavior, because we know when it's too much.
Eric: Arika, when you clicked on that link-
Arika: Back to me, gosh.
Eric: I hate to make [inaudible 00:11:13], but it's a great example. What else were you doing? What were you thinking about? What was going on?
Arika: Oh, I mean it was the middle of the-
Eric: Because you're highly educated, we know this, right? We know you're very intelligent. Yet you still clicked it. What else was going on?
Arika: Well, to be honest with you, I was at my computer. But the way I work, which is the way many of us work, is that we have our cell phone right next to us. We're working on something on our computer as well. So, sometimes I handle all of my email via my cell phone because I'm working on a document and then I'll jump on sometimes if it's something that requires a longer response, but I'm switching between, PowerPoint, Excel, whatever, all of these different things. I may even have been on a conference call at the same time, for all I know. So, there were multiple things happening at the same time. And so, I was just, was my typical micro-
Eric: You were busy.
Arika: Yeah. You know, multiple, not micromanaging, but managing too many things at one time.
The Correlation of Multitasking and Human Breach
Margaret: Yeah. And a lot of different types of professions, take emergency physicians, they do a lot of tasks with switching and multitasking. And what we found in that area of research, for health care, for instance, the more times you multitask within a minute, the more likely you are to make a mistake. So it's the same for us. It's the same for everyone. We have limits to what we can do and do without error.
Eric: What do we do about it, Margaret? [crosstalk 00:12:54] I mean, you read about all of the ransomware attacks that have been hitting the United States cities, counties. They don't have the biggest budgets. They don't have the most security. It's usually a user that clicks on a phishing link. It's usually a user who's a longtime employee. Maybe not computer savvy, but I haven't read of one scenario where that user was found to be guilty of intent, right? All accidental clicks. Yet we do it and people make a lot of money. What do we do as a community? How do we fix this?
Margaret: It's going to be really, really hard to fix it perfectly. That said, we can start using some of our more advanced analytics to understand when people are more prone to making these types of mistakes. So say you have 85 different apps open, you're doing a ton of things on your computer or you're also trying to respond to an email, and that email is potentially from a unique sender. What can we do to highlight that, even in the interface, to show that it's a riskier email? Those are things that we can start working on.
Inadvertent Cybersecurity Breach versus Malicious Cybersecurity Breach
Margaret: But it's very, very complicated to really effectively deal with that. However, on the other side, when we observe somebody making this type of mistake, because we can understand the context around their behavior of clicking the link or visiting a strange site, we can start more quickly understanding that they've done that in error. Like it's a weird thing that they've done and that can help us sort out an inadvertent mistake versus a malicious action more quickly, which is one really nice thing.
Eric: So whether intentional or unintentional, really doesn't matter, is what you're saying.
Margaret: In a way it does matter because a lot of the mistakes that people make can create issues with compromised credentials, and if we understand that the person's credentials are compromised because of a mistake, that's better than somebody engaging in malicious behaviors through their own true credentials, if that makes any sense.
Eric: No, fully understand that-
Margaret: Yeah, we can separate that out.
Eric: But what I'm saying is, the tipping or the alerting piece, figuring out that something has happened that is inappropriate on a corporate network. Very similar, right. We can detect the behavior that isn't intentional, or even if it is intentional, it's similar behavior.
Eric: Okay. I like the simple answer. Arika?
Eric: I got the yes.
Arika: Well, and I know we've actually, the time has flown by today. I just wanted to say one thing in my defense. About two weeks after I received that email, I received another email and this one, I'm trying to recall how it was worded.
Learning From Past Mistakes
Arika: But because I had just received the one about the Microsoft 365, that wasn't indeed a phishing email, I did not click on the link in the email that came two weeks later. And then we did get later a security notice saying that there was another sort of phishing scheme going out. So, I do think when we talk about even the psychology and looking into why it is that we make errors, I think when they're identified and we do realize that we have made them, depending on the timing of them, right, it can help us to then think twice about it when it happens the next time.
Eric: So recognizing that an error was made, made you more cautious in the future.
Eric: We need a psychologist.
Margaret: I'm going to qualify that with... It's probably going to be a temporary heightened awareness.
Eric: And I'm going to qualify it with it may even be too late. [inaudible 00:17:02]
Arika: Margaret, I've got a few other things to ask you. I know we're actually running close to time, so I'm going to say let's continue this conversation so we can pick it back up for our next episode. But I wanted to talk more about how do we then get humans to make the right decision, tend to pay attention and really, what are some very actionable things like organizations, government, can be doing in order to really take this with sort of maybe a next level approach to security.
Margaret: Yeah, that sounds great.
Eric: That'd be awesome. Before we go, one last question for you Margaret.
The Value of Training
Eric: The training we do. Have you measured it? Is there a certain level of training that is worthwhile and then anything after that is just wasted time?
Margaret: So, I have to say that training is better than nothing.
Margaret: However, it is not going to solve the problem at any volume or any level of creativity, even though trainings have become a little bit more fun. We're still imperfect little creatures and we're going to make mistakes.
Eric: Yeah, we are. Okay, Arika, with that, I do disagree that the training is in any way, shape or form fine. I will turn it back to you.
Arika: It's definitely not fun. Great, well, thank you Margaret for part one of this episode and let's continue the conversation next week. So, thanks to everyone for listening this week. We appreciate it. Please let us know what you think in the podcast. Please definitely rate us. Send us a note if you want us to talk about something specific. And again, thank you as always for tuning into To The Point Cybersecurity.