Tag Archives: password

Psychology’s Relevance in Security

The best way to defeat or at least largely mitigate hackers is with a dynamic defense system. When combined effectively, anti-virus software, NGFWs and the products and services from cybersecurity companies like CyberArk and FireEye can provide an organization with a resilient cybersecurity framework. However, such security measures are expensive and are dependent on companies that employ IT professionals, which is why many organizations try to fend off cyber attacks only with anti-virus software and a NGFW. Yet there is another method with which to mitigate or prevent cyber breaches, and it is a method that cyber liability and technology E&O insurers need to understand and immediately employ: human psychology.

The most common meeting of psychology and the binary world is the door to the binary world: the password. Most, if not all, underwriters have read an article or heard a lecture about how “password” and “123456” are the most frequently used keys when people attach a password to anything. Moreover, the commonality of those two keys has been a fact for decades, but the insecurity of using commonly known passwords as a passport remains virtually immune to change.

The longevity of weak keys is due to many factors, but at the heart of all the factors is human psychology. It is a behavior that does not want to be bothered with memorizing a multitude of passwords, and one that tries to find the easiest way to meet a password requirement instead of trying to create a strong passport. Most importantly, it is risk and reward psychology that governs the creation of any password. Who cares in the professional world what a person’s password is as long as the work gets done and a person gets paid?

Yet current cyber liability and technology E&O wording does not even try to tackle this most basic insecurity, one that costs insurers large amounts of currency time and again. Insurers will continue to lose vast amounts of money due to the insecurity of a key like “123456” until insurers decide to tackle human psychology and work with technology companies to create a safe path forward out of the current mess with which the digital community finds itself.

See also: How to Identify Psychosocial Risks  

If passwords were the only element of enterprise cybersecurity that needed to be reformed, then, to a high degree, the issue would not have far-reaching implications. However, the fact is that the weakness of keys is only a symptom of a larger problem.

Cybersecurity may be a topic that crops up in news headlines on a regular basis, but it is a topic that also is generally viewed as a fringe area of thought. At the enterprise level, this can be seen in one prominent way beyond dysfunctional passports, and that is in individual cybersecurity responsibility. Cyber breaches have cost the global economy no less than $400 billion each year since 2013, have affected essentially every part of the professional sphere, and are bringing governments around the world into conflict with their taxpayers as represented, in one way, when a government, like the U.S. government, tried to force Apple to make its products less secure.

Nonetheless, to this day a majority of the companies around the world do not put part of the onus on individual employees for a company’s cybersecurity posture. Most companies do not include, in annual employee reviews, an area that deals with how the individual contributed to the strength or weakness of the company’s cybersecurity approach.

Did the employee use a strong password over the past year? Did the employee lock her computer each time she stepped away from her desk? Was the employee’s company computer linked to any cyber attacks? If the employee’s computer was linked to a cyber attack, then had the employee shown an appreciable improvement of her cybersecurity awareness?

By not enforcing the need for every employee to contribute to the cyber safety of the company, employees at all levels are allowed to have a carefree outlook, which is clearly detrimental to the cybersecurity posture of every organization. Even potential employees are not vetted for their sense of healthy cybersecurity. Companies ask numerous questions when interviewing a potential candidate, but very few companies try to assess the individual’s sense of responsibility when it comes to cybersecurity. If employees, and even applicants, are not expected to carry part of the responsibility, then what reason does any employee have to be responsible from a cybersecurity standpoint?

Perhaps more disturbing than the previous issues is that cyber liability and technology E&O insurers do not account for how human behavior influences the development of computer hardware and software. From about 1990 to the present, there has been a relentless movement by technology companies to get products to market at breakneck speed.

While a hardware company like Intel has produced some products of dubious quality, like trying to push its Pentium III processor beyond the 1Ghz level and the Rambus fiasco, hardware producers have largely avoided major mistakes. However, software developers are almost entirely responsible for the creation of a binary world where security has almost always been an afterthought, and human psychology is at the heart of this issue as well.

Since 1990, constant pressure has been placed on software engineers to meet deadlines set by a management system that is focused on everything but cybersecurity, which means that quality is almost always sacrificed to include a flashy software feature or simply to get a product to market quickly. Windows Me, Windows Vista, and Windows 8 are the results of a management system that showed great disregard for the safety of the end user.

Moreover, software engineers themselves also have the psychological outlook that, if an issue does comes up after a piece of software is released, it can always be patched at a later date. Perhaps the most obvious example of the patching system in overdrive is that of smartphone operating systems and applications. It is not uncommon for one smartphone application to receive updates two or three times each month. However, the present wording of technology E&O policies and the questions asked in technology E&O applications continues to demonstrate a severe lack of understanding on the part of insurers as to how human behavior gives rise to technology E&O claims.

When it comes to human psychology, it seems that the most egregious lack of understanding by insurers is not comprehending their most prominent adversary: hackers. However, hackers are not all the same, which means that they are driven by different attitudes, thought processes and rewards. More than that, hacking is an art and, just like any other art, there are “newbies,” and there are actual artisans.

In the first of the four hacker tiers are elementary hackers, meaning those people under the age of 14. For the most part, elementary hackers are going to focus on their local geographical community. This is partly due to the experimenting nature of such a young hacker, because a 10- or 12-year-old is still trying to figure out how to hack. Therefore, locally geographical targets present the best chances to hone a person’s skills. After all, the basic educational system, especially in the U/S., but elsewhere, too, spends very little on defensive technologies of any kind.

The local courthouse and sheriff’s office spend only slightly more than the educational system, and local merchants still largely maintain the attitude that they somehow do not appear on the radar of any hacker. Therefore, local venues often are the best targets because they often have the least security, in all forms, and consequently are the easiest ones on which to test a person’s skills.

However, insurers largely ignore this first tier and appear to have the mindset that these hackers are unworthy of recognition and that no solution as to how to engage with this group is needed.

The next tier contains the rookie hackers. These are the hackers who successfully “graduated,” unopposed, from the elementary group and who are generally 14 to 22 years old. For this next tier, the motivation is still whether the individual is capable of a hack, but now the target of the hack is going to extend, with ever greater frequency, beyond the immediate geographical location. It will also increasingly encompass working with and learning from others.

This is often the stage where hacktivists are going to begin to form and where the psychology of the hack is going to extend to obtaining items like currency and prestige. As hackers in this group encounter other hackers, they often start to form a set of ethics that make sense, but that are hard for a majority of people to understand. This same group is also going to start to attack national law enforcement institutions, yet even this tier is largely ignored by insurers around the world even though attacks from this group often involve PII, PHI, and payment card data.

Tier three is the first tier that has widespread acknowledgment from all insurers, and this tier encompasses both artisan and professional hackers. The hackers in this tier are often going to be 23 years old and older. One factor that makes this tier of hackers so effective in entering systems where they are not welcome is that they have been able to hone their skills from the age of 10 to 23.

Most people who build and hone a skill set over the course of 13 years will be fairly capable. Another factor is that this tier is composed of people who have a sense of identity, which means that this group has formed its own moral compass and conforms to ethics and outlooks that often fall outside of the global mainstream. This sense of identity and associated ethics gives rise to groups like the FireEye branded FIN6 group, or the hacktivist group Anonymous.

A group like FIN6 is capable of inflicting hundreds of millions of dollars in damage on the global economy, but, because cyber liability and technology E&O insurers have ignored the first two tiers of
hackers, they are unable to appreciate the depth and abilities of tier three hackers.

The fourth tier of hackers have been known to insurers for years now ,as well as law enforcement organizations around the world. This tier is also composed of hackers who work for effective cybercrime groups, like FIN6, or larger cybercrime groups, hackers who are ardent supporters of a sociological or political philosophy (hackers for ISIS are a current example of this) and hackers who work for nation-states, whether directly employed or occasionally contracted to work.

These hackers have narrow views of the world, their ethics often fall outside of the norm of most hackers, and they are constantly trying to expand ways by which to wage cyber warfare (Stutnex is a recent successful example) and are the embodiment of ghosts in the network. Tier four hackers are almost always the hackers who cause the most damage while leaving virtually no trace of their activities, and they are beyond insurers’ ability to engage with in any reformative manner.

Human behavior is at the core of every single data breach initiated by a human. In perhaps the most recent egregious example, the hacking of Equifax is a foul example of this. The Equifax hack occurred because of a psychological company mindset of complacency as well as the hackers’ own psychological reasons. Complacency is clearly demonstrated in the cybersecurity posture that the company was maintaining: It can be done later.

The hole that allowed the hackers to gain access and successfully acquire copious amounts of non-public data had a fix that was released in March 2017, but by May 2017 Equifax still had not patched the vulnerability. There is also evidence that Equifax was notified as early as December 2016 that its systems were not secure.

With the PII that a credit rating agency has, such a delay in updating critical data is unacceptable. However, with no government or market pressure to behave responsibly, Equifax and its ilk will continue to suffer data breaches time and again, and time and
again consumers, and ironically insurers, will continue to exist in a world of ever-increasing uncertainty as to which direction financial harm will arrive from.

See also: The Costs of Inaction on Encryption  

While the undeniable importance of accounting for human psychology is a severe oversight on the part of insurers, the path forward is equally undeniable: Engage with as many tier one and tier two hackers as possible and ensure that cyber liability and technology E&O applications allow insurers to assess the psychological outlook an applicant has with regard to cybersecurity.

In the April 2016 edition of the PLUS Journal, it was argued that insurers need to work with other companies involved in technology, marketing and lending and in other parts of the private sector to create an international competition. This competition would give students a creative outlet to display their skills whether they be in coding, design or writing. By establishing such a competition and working with educators, world wide insurers and other companies can give potential tier one and two hackers a creative outlet for their skills as well as an affirmation that their skills can lead to healthy career paths.

By finding these individuals through an international competition, not only can insurers reduce the risk to their insureds of being hacked by the reduction in numbers of hackers, but they can also find the people who are capable of creating next-generation products.

Without spending the needed effort, though, insurers will continue to lose money at unsustainable levels to cyber liability and technology E&O claims, claims that could have been avoided by investing in adolescents, who, after all, are the future, but who also are the most vulnerable to negative influences.

By also asking the right questions in a cyber liability and technology E&O application, insurers can assess the psychological outlook of a corporate applicant and make a far more informed decision as to whether to underwrite the risk. Had insurers asked Equifax questions that appropriately gauged its perception of the importance of cybersecurity, they could have avoided the risk of underwriting the firm.

Surely, asking eight psychological questions to save $100 million is better than accepting $300,000 in insurance premium and all the uncertainty attached to that premium.

Over the past four thousand years, battles and wars have often been won by the continued incorporation into the battlefield of new technology, whether the technology was metallurgical or
mechanical, but understanding the psychological mindset of the enemy has also been a determining factor. The ever-present value of human behavior has not been lost on most of the private sector, either. Psychology is at the core of a multibillion-dollar industry like advertising, and it is represented daily in the greed and fear index on Wall Street. Understanding the psychological mindset of a company as it concerns its cybersecurity posture and understanding hackers without question must be embraced by insurers.

However, until insurers realize the virtual relevancy of human psychology they, and their insureds, will continue to lose substantial amounts of currency, time and sense of security, and the stability of the global economy will continue to be destabilized.

Can Employers Ever Monitor Employees' Personal Social Media?

Yes, but be careful! There is no denying that the use of social media sites such as Facebook, Twitter and LinkedIn has exploded. The explosion includes both personal and business use of social media. It also includes use that is beneficial to employers and use that can be very damaging. Unfortunately, the influx of employment lawsuits that have followed the explosion have had limited practical value in guiding employees and employers on the permissible use and oversight of social media in the workplace. While many questions remain, the California State Legislature's recent enactment regulating employer use of social media does provide some guidance.

California Labor Code section 980 was enacted to prevent employers from (1) requesting an employee disclose usernames or passwords for personal social media accounts; (2) requiring an employee to access his or her personal social media in the presence of the employer; or (3) requiring an employee to divulge any personal social media to the employer. Applicants are protected in the same way as employees. The new statute, coupled with existing privacy laws, limits what employers may monitor when it comes to the personal social media of employees and applicants.

Definition Of Social Media
In what appears to be an effort to account for the ever increasing development of new social media, the new statute broadly defines social media as an “electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, e-mail, online services or accounts, or internet web site profiles or locations.”

Prohibitions On Employers Monitoring Social Media
Employers may not require, or even request, that an employee or applicant:

  • Disclose a username or password for the purpose of gaining access to the employee or applicant's personal social media;
  • Access their personal social media in the employer's presence; or
  • Divulge any personal social media.

Employers are also prohibited from retaliating or threatening to retaliate against an employee or applicant who refuses to comply with a request or demand that violates the statute.

Despite the statute's broad definition of social media and its restrictive prohibitions on employers, it does provide some exceptions under which employers may request and gain access to employees' personal social media. For each exception, however, pitfalls exist. Employers need to know them in order to avoid costly mistakes.

Accessing Social Media As Part Of An Investigation
The statute does not affect an employer's existing rights to obtain personal social media “reasonably believed to be relevant” to an investigation of employee misconduct. Under this exception, the employer may only access the employee's personal social media under the condition that it is used strictly for purposes of the investigation or a related proceeding. While the statute does not define what “reasonably believed to be relevant” means, California Courts evaluate employee privacy concerns utilizing a balancing test, weighing the employee's reasonable expectation of privacy against the employer's legitimate business needs for accessing the information. It is wise for employers to evaluate each instance carefully before requesting an employee to divulge his or her personal social media under this exception.

Employer-Issued Electronic Devices
The statute does not preclude an employer from requiring an employee to disclose a username and password for the purpose of accessing an employer-issued electronic device such as a computer, smartphone or e-mail account. Employers should exercise caution, however, before digging through an employee's use of personal social media on the employer-issued device.

It is a violation of the federal Stored Communications Act to access a restricted or password protected site without the owner's consent. So, while it is permissible for an employer to require an employee to provide his or her password for access to the employer-issued device, an employer may be violating the law by accessing social media information on the device. For instance, having the IT department look up the employee's Facebook password stored on the employer-issued device in order to gain access the employee's personal Facebook page.

Adverse Action Against Employees
The statute does not prohibit an employer from terminating or taking adverse action against an employee or applicant if otherwise permitted by law. For instance, an employer may discipline an employee for violating company policy and using personal social media during work time. Nor does the statute specifically prohibit employers from accessing publicly available social media. This means that employers may view the personal social media of its employees that is available to the general public on the internet, such as blogs and other websites that do not restrict user access.

But, before taking any adverse action against an employee based upon the content of his or her personal social media, employers must keep in mind that California law prohibits employers from discriminating against an employee based upon the employee's lawful conduct occurring away from the employer's premises during non-work hours. Moreover, the National Labor Relations Board has held that employees may use social media to voice concerns over working conditions. While an employee complaining about working conditions or an issue with a manager on his or her Facebook page may reflect negatively upon the organization, the employee's use of social media to criticize working conditions may qualify as protected speech for which an employee cannot be lawfully disciplined.

What Is An Employer To Do?
First, be patient. The law develops at a snail's pace compared to the development of new technology and cultural trends. More guidance will come. In the meantime, employers should approach social media issues with careful consideration and planning. This should start with the development of a written social media policy, and not a sample or template policy. The policy needs to be specifically tailored to the employer and should discusses the importance of social media, the impact that social media has on the workplace, and how employee's use of social media reflects upon the organization. The policy should also define the permitted use of technology owned by the organization and employee's expectations of privacy or lack thereof.

If an employer elects to have a policy restricting personal social media use during work hours, it should ensure that the policy is applied even-handedly to avoid claims of discrimination. Employers should also consider the pros, cons and legal issues that relate to restrictions on supervisors' social media interaction with subordinates. For most organizations, it would be advisable to inform employees that they are not required to interact with supervisors on personal social media and will not be retaliated against for refusing to interact with supervisors.

A carefully planned and well written social media policy that outlines the organization's goals and expectations of employees' use of personal social media can help ensure compliance with the new rules and prevent costly disputes with employees.