Andy Ulrich, Head of Security in North America at Ericsson, advised that technology isn’t the answer when it comes to phishing.
Ulrich began the closing keynote presentation at the 2016 Chief Information Security Officer Leadership Forum held on September 13 in Dallas by observing that new technology may not be the answer in cybersecurity. “We have to think about the human psychology part of all this,” he advised. “All technology can by bypassed, sometimes due to a vulnerability in the technology and sometimes by exploiting another vulnerability in the security chain, but in both cases, a human is involved. You can always bypass security using a human.”
“All technology can by bypassed, sometimes due to a vulnerability in the technology and sometimes by exploiting another vulnerability in the security chain, but in both cases, a human is involved.”
There are the obvious security threats—nation states, criminal organizations, hacking groups, and lone wolves. But what about insiders? “There are evil insiders who want to do bad things; good employees who never make mistakes or the mistakes they make don’t matter; and good employees who make mistakes or become compromised. Most employees fall into the second category, but the dangerous category is the third one.”
Ulrich delineated what’s known about humans:
• They’re terrible at assessing risk, and risk perception changes rapidly even when risks don’t.
• They’re emotional and will act more quickly, without thinking, when feeling emotion.
• They’re hard to train—and minor, seemingly insignificant details matter.
Beyond technology, the three characteristics above must be addressed when designing a security program, stressed Ulrich.
These are the drivers of risk perception, according to Ulrich:
• Hostile intent/man-made vs. nature
• Spectacular/rare vs. common
• In the news vs. not
• New vs. old
• In one’s control vs. not
• Morally offensive vs. not
To emphasize the emotionality involved in perceived threats, he noted that the flu kills more people annually than domestic terrorist attacks, new infectious diseases, etc., but it rarely instills the fear these sensational “threats” do.
“Phishing is successful because people are emotional. This is the problem. That’s it,” stated Ulrich. Phishing generally exploits an emotional response using subject lines such as: “Your antivirus is out of date, your account is past due, major blast in capital city, your tax return is missing,” or “you have a package but we couldn’t deliver it.”
“Phishing is successful because people are emotional. This is the problem. That’s it.”
According to the Ars Technica website, half of people click anything sent to them, even after receiving anti-phishing training. A recent study conducted at the Friedrich-Alexander University in Nuremberg, Germany, found that 78% of respondents claimed to be knowledgeable about the risks of clicking unknown links, yet, when phishing email was addressed to them by first name, 56% clicked anyway, “because they were curious.” Without the first name, click rates were around 20%.
“So how do we deal with emotion in cybersecurity?” asked Ulrich. “I do phishing training, and I don’t know how to measure its effectiveness. It generates metrics, but they aren’t really that much help, because every time we change the phish—which we need to do—we appeal to a different emotion than the previous phish. It’s very difficult to extract trends because of the variability,” said Ulrich.
Ulrich wrapped up his presentation with these key takeaways:
• Consider the human factor in security design.
• Expensive technology won’t keep out a determined attacker.
• Be skeptical of tech solutions.
• Focus on detection.
• Tackle the training problem.
“We need to figure out, as a community, how to stop people from clicking,” stated Ulrich.
“We need to figure out, as a community, how to stop people from clicking.”
ABOUT ANDY ULRICH:
As a young child, Andy Ulrich discovered and was delighted by the fact that, by simply pushing buttons on a telephone keypad, he could nearly instantly cause a random person half a world away to stand up and walk to their telephone. (His parents were not amused.) Thus began a lifelong interest in telecommunications and IT. His nearly 30 years of experience includes a career in the US Army, culminating in a role as the operations chief of NATO’s information security organization, and his most recent previous job as the CISO for MoneyGram. He currently heads the security program for Ericsson in North America from its headquarters in Plano, TX.