1. Security is a socio-technical issueCybersecurity: Security is a socio-technical issueSlide 1

2. Improved security technology Computer security and security engineering focuses on the technical aspects of the cybersecurity problemCybersecurity: Security is a socio-technical issueSlide 2 3. By reducing vulnerabilities in code and by adding more checks to code, many security vulnerabilities can be avoided and the number of incidents reduced However, this can significantly increase costs and time required for development and so delay delivery of the software Cybersecurity: Security is a socio-technical issueSlide 3 4. John Wiley and Sons 2004Cybersecurity: Security is a socio-technical issueSlide 4 5. If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.Cybersecurity: Security is a socio-technical issueSlide 5 6. John Wiley and Sons 2004 "Security is a chain; it's only as secure as the weakest link." Cybersecurity: Security is a socio-technical issueSlide 6 7. Technology is necessary but cannot, on its own, guarantee that systems will be secure Cybersecurity is a socio-technical rather than a technical problem Cybersecurity: Security is a socio-technical issueSlide 7 8. Why technology is not enough Technology reliability cannot be guaranteed Insider attacks Technical security compromises made for usability reasons Cybersecurity: Security is a socio-technical issueSlide 8 9. Failure of organisational procedures or poorly designed procedures Human carelessness Social engineeringCybersecurity: Security is a socio-technical issueSlide 9 10. Unreliable technology In the same way that it is practically impossible to guarantee that a complex system is free from bugs, it is also impossible to guarantee that a system is free from security vulnerabilities Cybersecurity: Security is a socio-technical issueSlide 10 11. Even if a system A is secure, it may rely on other systems that are potentially insecure. If these are owned by different people, system wide security validation is impossibleCybersecurity: Security is a socio-technical issueSlide 11 12. Insider attacks Insiders have legitimate credentials that allows them access to the system Therefore, strong access control technology is not a barrierCybersecurity: Security is a socio-technical issueSlide 12 13. Insiders in an organisation are aware of the technical safeguards built into the system and may know how to circumvent these especially if they have privileged system access Insiders have local knowledge that may be used for social engineering and so may be able to discover privileged information. Cybersecurity: Security is a socio-technical issueSlide 13 14. Maroochy water breachImage credit: www.discoverqueensland.com.auCybersecurity: Security is a socio-technical issueSlide 14 15. Usability vs security There is always a trade-off to be made between usability and security Security procedures slow down system operation and may alienate usersCybersecurity: Security is a socio-technical issueSlide 15 16. Companies may make a deliberate decision to use weaker security procedures so that users dont decide to go elsewhere Login/password authentication instead of biometrics http://www.activistpost.com/ 2012 Cybersecurity: Security is a socio-technical issueUnencrypted information as encryption slows down the system Slide 16 17. Procedural failures Procedures that are intended to maintain security may be badly designed or implemented This may introduce vulnerabilities into the system or may mean that users have to circumvent procedures Cybersecurity: Security is a socio-technical issueSlide 17 18. Poor procedures Companies request strong passwords but do not provide any help to users how to construct strong easy to remember passwords such as My_hamster.spot Requirements for regular password change. Thought to improve security but actually means that users cant remember passwords so they write them down Cybersecurity: Security is a socio-technical issueSlide 18 19. Human carelessness People will inevitably be careless www.labnol.org 2009Cybersecurity: Security is a socio-technical issue Leave systems unattended whilst they are logged on Use authentication in public places where they can be observedSlide 19 20. Some technical controls against carelessness but impossible to completely control this vulnerability without incurring very high costs Cybersecurity: Security is a socio-technical issueSlide 20 21. Social engineering thehackernews.com 2011Cybersecurity: Security is a socio-technical issue Many examples that show users are willing to provide confidential information to a plausible Slide 21 22. Attacker Alex calls system admin Bob pretending to be the manager of a company and asks for his password to be reset.He asks Bob to tell him the new passwordBob wants to please his boss so does as he is asked .Alex then can gain access to the system (and lock out the legitimate manager)Cybersecurity: Security is a socio-technical issueSlide 22 23. Multiple points of failure These social vulnerabilities may be exploited in connection with each other or with technical vulnerabilities to gain access to systemCybersecurity: Security is a socio-technical issueSlide 23 24. For example, a successful password attack may require social engineering to convince system administators to reset a users passwordCybersecurity: Security is a socio-technical issueSlide 24 25. A poor password change procedure, which does not include a check to ensure that the requestor is legitimate Require text confirmation of password change request or text password change details to users mobile Requests made by phone should require callback25 SlideCybersecurity: Security is a socio-technical issue 26. Summary Cybersecurity is a socio-technical problem Technology reliability cannot be guaranteed Insider attacks Technical security compromises made for usability reasonsCybersecurity: Security is a socio-technical issueSlide 26 27. Failure of organisational procedures or poorly designed procedures Human carelessness Social engineeringCybersecurity: Security is a socio-technical issueSlide 27