For all the talk of hard mechanical and technical defences, all human-machine systems are reliant on their soft procedural defences to maintain safety and security. This insight has some traction amongst the safety science community and has now also taken hold in the security community as a recent review by M. Mitchell Waldrop for Nature illustrates.
Cybercrime has become a high-impact risk for individuals and organizations, Waldrop highlighting the recent data breaches at both Sony Pictures and the United States’ Office of Personnel Management. In response to these problems there has been increasing attention on the problem of human factors in cybercrime. This trend is evident in both the United States and the United Kingdom, the respective efforts being led by Douglas Maughan at the United States’ Department of Homeland Security, and Angela Sasse at University College London.
The article notes the problems associated with corporate policies on passwords for computer systems, the nature of unworkable rules for composing and using passwords within the workplace and also, from Lorrie Cranor at Carnegie Mellon University, the self-defeating nature of requiring users to change passwords every 90 days in the absence of any security breach.
For the majority of us, we can relate to the problems of ensuring safety online, and coping with sometimes incredibly rigid corporate rules on the selection of passwords. However, Waldrop’s article suggests there might be hope in the fight against cybercrime, as exemplified by Stefan Savage’s work.
At the University of California Savage set up a server to act as a “gullible consumer”. This enabled Savage’s team to capture data that could then trace back the internet trail to the source. Although it is difficult to close-down fraudulent operations on the internet, Savage did discover one potential marker of fraud, that some banks appeared to be more popular with fraudsters as a centre for collecting victim payments.
M. Mitchell Waldrop’s full article can be found at Nature.