You don’t have to look too far around to find someone who may not be practicing proper cyber hygiene in order to protect themselves and others, from the ill effects of cybercrime or cybersecurity issues. For instance, we may be aware that using the same user ID, email account and password for different cloud services are considered risky behaviors and could result in a potential account hack or data breach. However, we do not change this behavior. How often do you share your best practices for securing your devices, cloud service applications, mobile applications and home networking equipment for connecting to the Internet with those around you in a social situation or manner? Do you recommend the use of available security settings to those around you in your social circles? Do you show them how quick it can be to implement the security settings? In this article, we discuss some ways for improving cyber hygiene.
Contributed by: Stan Mierzwa, Director, Kean University Center for Cybersecurity
Social Cybersecurity is a new and emerging concept and paradigm that basically involves how better cybersecurity behaviors can be inclined positively using social influence. It’s worth to keep an eye out for the research going on regarding social cybersecurity, because it may have some answers to getting people and companies to better protect themselves. Even if this approach has a small positive effect on improving cyber hygiene, it is worth it, because something must change if we are going to help individuals better protects themselves.
Background on Social Cybersecurity
There exist any number of tasks and approaches that can be undertaken to protect our computer systems from cybersecurity risks. This ranges from ensuring you install and keep your anti-virus or endpoint protection system up to date, apply software security updates, encrypt sensitive data, backup our important data, and this list can continue to grow. Social Cybersecurity brings a dimension with consideration for the individual, not the computer, and how with social psychology, usable and powerful social forces, such as social norms, can have outsized influences on people’s behaviors and perceptions of risk. [1]
The Human-Computer Interaction Institute at Carnegie Mellon University and other researchers are bringing focus to this new scientific area of cybersecurity. As their website (www.socialcybersecurity.org) mentions, this group is leveraging insights from social psychology and other fields to develop novel interventions and strategies for nudging adoption of expert-recommended tools and practices. Can we leverage social interactions or the influence of social situations to enhance our cyber hygiene or help thwart cyber threats? As anyone who uses technology knows, we often opt for convenience rather than security, and there lies a big problem, with short-cuts, we expose ourselves, and those around us to cybersecurity threats.
A worthy research presentation by Sauvik Das, Ph.D, from the Georgia Institute of Technology, hosted at the below link provides a good background on the topic of how social influences affect the adoption of security behaviors. [5] He presented a test case with the use of Facebook’s security features. The presentation is located at the following link: https://www.usenix.org/node/208148 . Das made the claim via supported evidence that: Social influences strongly affect cybersecurity behaviors, and it is possible to encourage better cybersecurity behaviors by designing security systems that are more social. [5] The research results from interviews done provided a theme that the observability of security feature usage was a key enabler of socially triggered behavior change and conversation – in encouraging the spread of positive behaviors, discouraging negative behaviors, and getting participants in the study to talk about security. [8] The work presented is innovative and brings encouragement and opportunities in how systems can be designed to encourage better cybersecurity behaviors.
One can also think of Social Cybersecurity in contrast and comparison to the criminological theory called “Social Learning Theory”. In Social Learning theory, delinquents are likely to engage in deviant or criminal behavior when those actions have been positively reinforced. Individuals may model their behavior after those engaged in by others – they may imitate the behavior of others. [2] With this criminological theory in mind, the premise of Social Cybersecurity as a goal of setting a model behavior with regard to cyber hygiene, is worthy and warranted to at least consider and perhaps pursue. Referencing cyber hygiene, transformation or a movement towards behavior modifications needs to occur, or we will just continue down the same path of poor cyber activities where citizens are in the position to deal with the aftermath of cyber incidents or breaches. There needs to be a motivation to encourage better cyber hygiene and work needs to be done. As in the words of Benjamin Franklin, “Motivation is when your dreams put on work clothes.”
Several Potential Areas of Cyber Hygiene to Be Improved
There are several areas that have a potential for improvements in cyber hygiene that may benefit from the possibility of Social Cybersecurity. Some examples that are frequently advocated in cybersecurity include:
- Passwords
- Dual factor authentication
- Endpoint protection software up to date
- Security updates
- Not falling prey to scammers
One such area is two-factor or dual-factor authentication. The use of two-factor authentication is widely known in information security as a method that can reduce the issues with poor password management practices. However, in a Ponemon Institute survey produced in 2019, only 33% of respondents said they use two-factor authentication for personal use. [3] Two-factor authentication provides many benefits, but the main one is that it decreases the likelihood that an attacker can impersonate a user to gain access to a software application or data. In its simplest form, two-factor authentication operates with a traditional user ID and password, in combination with a PIN or passcode provided to something that is owned by the user, such as a smartphone. In some cases, security is further enhanced with the use of a biometric component. A Google report in 2018 suggested that less than 10% of Gmail users employ two-factor authentication, which is considered one of their best security features. [4] Why aren’t we all using this method for safer authentication?
Additionally, with regard to password operations, 51% of respondents in the 2019 Ponemon survey, said they reuse an average of five passwords across business and personal accounts. With respect to sharing passwords, 69% said they do share passwords. We generally don’t share our toothbrushes, so the same hygiene should take place with our account passwords. This has the potential for another Social Cybersecurity opportunity, perhaps via friendly nudging and advice.
Although it may be difficult to predict with exact numbers, global surveys have demonstrated that over half of the global population are concerned about malware and other potential threats, with about one-quarter of PCs not protected with up-to-date endpoint protection software. [6] This averages out to be about 5.5 times more likely to get infected scenario, if unprotected. The Verizon Data Breach report of 2018 stated that it is quite difficult to estimate the actual numbers or percentages of many breaches, they continue to involve assets or devices without basic antivirus protection installed. [7] Computer or device endpoint anti-virus software isn’t anything new, but why is it that citizens will not install it? What may be more surprising is that one can install free versions of anti-virus tools, such as Microsoft Security Essentials and Avast Free, which would be better than having no protection.
Conclusion
The purpose of this article is to bring attention to the idea of Social Cybersecurity to those leaders and information security experts who continue to grapple with better user adoption of security best practices. For those in the information security field, we often state that the human or person is the greatest risk in cybersecurity. Perhaps cybersecurity leaders can take a cue from the gaming industry. Gaming is a popular activity around adolescents and even adults. In witnessing my own family members desire to procure or engage in specific games, particularly those that permit connectivity to other gamers, I found that deciding on which game to purchase is typically spread via word of mouth, socially. If my friends or social group is playing a game, I want in as well. Could we work towards this sort of uptake with regard to positive cyber hygiene? Now cyber-hygiene isn’t as fun as a game, but how can we engage with citizens for better uptake on cyber best practices using social cybersecurity. Let’s spread the joy of protecting ourselves better.
This article appeared in CISO MAG, April 2020 and has been adapted for the online platform.
About the Author
Stanley Mierzwa is the Director, Center for Cybersecurity at Kean University in the United States. He lectures at Kean University on Cybersecurity Risk Management and Foundations in Cybersecurity. He is a peer reviewer for the Online Journal of Public Health Informatics journal, a member of the FBI Infragard, IEEE and ISC(2). Stan holds a M.S. in Management Information Systems from New Jersey Institute of Technology and a B.S. Electrical Engineering Technology from Fairleigh Dickinson University. Stan is also a board member (Chief Technology Officer) for the non-profit Vennue Foundation, and is also a Certified Information Systems Security Professional (CISSP).
Kean University Background
Kean University enrolls almost 16,000 students and offers more than 50 undergraduate majors and 60-plus graduate options, with four campuses in New Jersey and the only public university in America to have a campus in China. U.S. News & World Report has recently ranked Kean University among the top universities in the norther United States for helping economically disadvantaged students enroll and graduate within six years. Kean is ranked 41st for social mobility out of 170 universities in the region.
References
- Hong, Jason; Das, Sauvik; Hyun-Jin Kim, Tiffany; Dabbish, Laura; Social Cybersecurity: Applying Social Psychology to Cybersecurity, Human-Computer Interaction Institute, Carnegie Mellon University.
- Yar, Majid; Steinmetz, Kevin F.; Cybercrime and Society, Sage Publishing, 2019
- Ponemon Institute LLC; The 2019 State of Password and Authentication Security Behaviors Report, 2019
- Morris, Ian; Google’s Best Security Feature is used By Less Than 10% of Users, Forbes, April, 2018
- Das, Sauvik; Social Cybersecurity: Reshaping Security through and Empirical Understanding of Human Social Behavior, Presentation: Georgia Institute of Technology, January 18, 2018
- Anderson, Sophie; Antivirus Facts, Trends and Statistics for 2020, SafetyDetectives, December 24, 2019
- Widup, Suzanne; Spitler, Marc; Hylender; David; Bassett, Gabriel.; 2018 Verizon Data Breach Investigations Report, 2018
8. Das, Sauvik; Hyun-Jin Kim, Tiffany; Dabbish, Laura A.; Hong, Jason I.; The Effect of Social Influence on Security Sensitivity, USENIX Association, Tenth Symposium On Usable Privacy Security, 2014