Human factors have always been the bane of security professionals, and social engineering is also high on the list of factors requiring mitigation measures and controls. Yet their very nature makes them highly variable – humans will always work out circumvention to a control if it makes their lives easier.
We, security professionals, also have limited storage capacity for random data (like complex, always changing passwords), and we are always willing to assist another human “holding doors open”, answering seemingly innocuous questions, passwords, date of birth, etc.
However, the number one kicker is the divulging of personal information and giving up privacy for free participation in social networks.
A security awareness level of an individual is something that I have repeatedly droned on about over recent years.
Bringing that level of security education up for everyone within your remit, and not just their organisational security awareness – but also their personal and privacy awareness – should be your aim.
My security testing team, in conjunction with learning professionals, has developed a series of generic awareness e-learning programs designed to be deployed within organisations, to educate and raise their employee levels of personal and organisation security awareness.
For the past two years, and for the next two years, we’ll deliver all the Federal Governments Stay Smart Online Cyber Alert Service awareness content.
Therefore, we have significant experience in the human factor security arena and importantly the measurement of cognition around security messaging.
So on to hacking humans. Put simply, brains are computers, and as computers can be hacked, so too can brains.
It has been revealed, for better or worse, that Facebook researchers recently conducted a study where they deliberately manipulated member feeds using keywords to affect their mood.
The results, somewhat unsurprisingly, demonstrated those receiving positive messages promoted from their feed were found to be subsequently more positive themselves, and vice-versa. Those receiving the “negative” friends feed were down.
“So what?” some will say, “I’m in security, I don’t use social media” blah, blah, blah. Just stop and smell the roses for one second, those around you do.
If the big data organisations are now moving from simply knowing your friends, colleagues, acquaintances and enemies’ private information, shopping and online habits and onto mood manipulation, what’s next?
Some brains and the mental health contained within are fragile, so deliberate fiddling by big data could exacerbate an individuals issues, particularly when it’s that subtle.
So dear security pro, time to add a blind-fold to that tinfoil hat ensemble.
Just because Facebook is the one that has let this particular cat out of the bag, you need to look at what are the other data companies doing undisclosed and behind the scenes in this area – Google and Apple, for example.