As Users Shift Towards a Preference for Remote Work, Are Current Training Methods Enough?
The following is a document that I wrote in the first class of my doctorate in cybersecurity. I was searching for the exact area I wanted to write about, and so I was exploring different angles of human factors in cybersecurity. This is short, and grammatically rough but I think it is important to show the growth that I experienced over the course of the degree.
Introduction
Since the beginning of the pandemic, there has been a consistent shift towards remote or hybrid work in supported industries. Pew Research, a non-partisan “fact tank” that focuses on public issues found that “as of February 2022 roughly six-in-ten US workers who said their jobs could be done from home are working from home all or most of the time. Eighty-three percent of these workers said they were working from home even before the omicron variant” (Parker et al., 2022). This shift places users at locations that are not protected by a traditional corporate network.
Issue Background
The 2021 ENISA threat report provided by the European Union Agency for Cybersecurity, identified an increase in “non-malicious” incidents. They stated that the pandemic became a “multiplier for human errors and system misconfigurations, up to the point that most of the breaches in 2020 were caused by errors” (ENISA Threat Landscape 2021, 2021). The report additionally identified a rise in phishing and Remote Desktop attacks. Gartner reinforced this point in April 2022 claiming “Human error continues to feature in most data breaches, showing that traditional approaches to security awareness training are ineffective” (Moore, 2022).
Issue Position
Enterprises have certainly utilized VPNs for users in the past, but the correlation between the remote work and human error raises an interesting question, should we adjust how we manage cyber risk? The industry has been trying to discover a model that incorporates users at the center of a security program for several years, and in the push towards something new it is important to understand some of the core challenges faced by a human centric security model. This difficulty can be seen examining one of the basic security controls, passwords. The effectiveness of a good password has been documented and advertised for many years, but for the average user they are still viewed as an obstacle that “has to be overcome (Pernice, 2015)”. This was highlighted in 2019 when Karen Renaud and Verena Zimmermenn demonstrated that nudging users towards better password management makes no real difference to adoption (Renaud & Zimmermann, 2019). In this article, they postulated that this was perhaps “the choice they want people to favour is not in line with the user’s qualified best knowledge,” referencing the same point made a few years prior by CR Sunstein in the Duke Law Journal (Sunstein, 2016). If users continue to struggle with security controls while working remotely, then we can assume that the industry will need in incorporate that into its risk models. Technical controls can assist in many ways, but if researchers such as Renaud, Zimmermenn, and Sunstein are correct, then the industry will need to shift more focus onto the user experience.
References
ENISA Threat Landscape 2021. (2021). https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021
Moore, S. (2022). Gartner Top Security and Risk Trends in 2022. Gartner_Inc. Retrieved September from https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022
Parker, K., Horowitz, J. M., & Minkin, R. (2022, 2022-02-16). COVID-19 Pandemic Continues To Reshape Work in America. @pewresearch. https://www.pewresearch.org/social-trends/2022/02/16/covid-19-pandemic-continues-to-reshape-work-in-america/
Pernice, K. (2015). Help People Create Passwords That They Can Actually Remember. https://www.nngroup.com/articles/passwords-memory/
Renaud, K., & Zimmermann, V. (2019). Nudging folks towards stronger password choices: providing certainty is the key. Behavioural Public Policy, 3(02), 228-258. https://doi.org/10.1017/bpp.2018.3
Sunstein, C. R. (2016). People Prefer System 2 Nudges (Kind Of). Duke Law Journal, 66.
