How do hackers manage to breach IT systems so often? M&S and Harrods are just two of the companies whose IT systems have been hacked over the past month. Paul Ryder and Steve McKenna write that a major cause of cyberattacks is human/employee negligence, often in public spaces.
As early as 2006, the Australian government’s Institute of Criminology published a report on “Mobile and wireless technologies: security and risk factors”, foreseeing the issues and risks that would increasingly arise from the use of mobile technologies. Today cybersecurity is a regular feature of the daily news. Over the last month M&S and Harrods’ systems have been hacked and the issue of identity theft is an ongoing problem, reflected in TV advertising campaigns in Australia. Furthermore, it is agreed that a major cause of cyberattacks come from human/employee negligence, often in public spaces. The extent of the issue in Australia is captured in a recent report by the Australian Cyber Security Centre.
“Professional” hackers often find ways into systems because of outdated software and systems and phishing attacks, using fake emails that appear to be from credible sources. This can be facilitated by negligent employee and personal behaviours, which leads to a concern about the behavioural dimensions of cybersecurity. How, for example, does an individual’s or groups actions compromise security in daily life?
Think of this example: you are waiting for a flight in an airport refreshment area and, before going through security, you fancy a coffee. You sit down, plug your mobile in for charging, open your laptop, log in and then wander off to get your drink. How many millions of travellers, business and otherwise, do this daily?
Shoulder-surfing
With respect to individual actions, cybersecurity may be related to human error, negligence or intention. It may also relate to forgetfulness and risky behaviours, such as leaving laptops and mobile phones open and unattended which leaves them open to theft, not using a password and using compromised USB ports and unsecured wireless networks in public spaces, auto-connecting on open networks, sharing passwords openly.
Risky or casual behaviours with respect to cybersecurity will also be linked to context and environment. How, for example, do people behave in different locations, in congested and crowded places/spaces, and/or when they are travelling with work colleagues and others? What do people do when they are subject to environmental stressors, for example, travelling with children, dealing with travel documents and baggage? In such environments, people may act in riskier ways unintentionally and be subject to so-called “shoulder-surfing”.
Crowded airport cybersecurity
Using a rapid ethnography observational approach, we investigated the question, “how does the level of passenger congestion and the size of a travelling group influence travellers’ cybersecurity behaviours in a refreshment area of an international airport?”
We conducted non-participant observations in an airport’s refreshment area over three four-hour sessions, recording environmental conditions and traveller behaviours related to real-world cybersecurity decisions. The data was collected over 48 observational blocks of 15 minutes.
We observed behaviours such as leaving devices charging unattended, sharing pin verbally, leaving device bags unattended, closing device lids when cleaners are present and so on. Over 300 observations were distilled to 39 key behaviours that reflected negligent actions compromising cybersecurity, risky network practices and poor identity management. Positive behaviours were also observed.
Alone or in a group
We were also interested in cybersecurity behaviours in relation to solo/group travellers and the degree of congestion in the area under observation. We made notes on the differential behaviour of solo and group travellers and their cybersecurity behaviours when the area under scrutiny was more/less congested.
Our analysis revealed that there were several notable differences in cybersecurity behaviours depending on the size of the group in the observation area. For example, those alone tended to be the most cybersecurity-conscious in the use of mobile device hotspots and in environmental awareness.
Couples showed some security awareness, with one always attending mobile devices and laptops. However, we observed that couples also shared confidential information such as passwords and PINs openly and verbally in situations where they were next to strangers.
In our observations, larger groups were the least cybersecure: members seemed to assume that if they went to visit the restroom or get refreshment, others would automatically look after their devices. This “security in numbers” idea didn’t always turn out to be the case.
People flow
In an airport refreshment area, the flow of people can change dramatically in a short period of time, particularly when several flights are leaving in quick succession. A kind of panic can be observed among some travellers as they collect their belongings, say their goodbyes, pack away their devices.
High congestion and people flow facilitated the intensive observation of cybersecurity behaviour. Observing became easier, although more dynamic and fluid. Because of the increasing noise levels, people shouted information that could be overheard, which risked compromising cybersecurity.
Conversely, in periods of low congestion people appeared to be more conscious of their personal cybersecurity; for instance, paying attention to their screen position and the location of their devices relative to where they were seated.
Conclusion
Overall, high levels of congestion influenced travellers’ cybersecurity behaviours significantly: we observed more lapses in physical security, more accidental or casual exposure of personal information, risky network practices and low environmental awareness than in periods of low congestion.
Crowd density, noise, resource availability (finding a charging point close to where the traveller was seated) and cognitive load combined to heighten the threat of cybersecurity breaches.
Environmental pressures increase the potential for cybersecurity breaches and identity theft. They are as influential in cybersecurity behaviour as an individual’s disposition to act cautiously in public spaces. While the technological aspects of cybersecurity are clearly important, that is, ensuring regular system maintenance and updates, two-factor authentication and obsessively securing network infrastructure among other things, the human behaviour aspect of cyber-security cannot be ignored. This is particularly the case in public spaces.
Sign up for our weekly newsletter here.
- This blog post represents the views of its author(s), not the position of LSE Business Review or the London School of Economics and Political Science.
- Featured image provided by Shutterstock.
- When you leave a comment, you’re agreeing to our Comment Policy.
