The human nature of cybersecurity

This might sound strange but open a new tab and do a quick Google image search for ‘cybersecurity’. Done it? What did you see? Was it masses of futuristic translucent images of padlocks superimposed over circuit boards and Matrix-style digital rain? Thought so. For us and our Senior Director of Information Security, Product Security and Global Response, Quentyn Taylor, this is a huge misrepresentation of the field, the foundations of which are as human as human can be.

Yes, there are a world of technical skills involved, be in no doubt, but Quentyn’s team has also been hand-picked for their expertise in human nature. Why? It’s sadly a fundamental truth that people are often the most vulnerable spot in a company’s security. And other people – cyber attackers – are frighteningly adept at exploiting human behaviour; like our trusting natures, curiosity, reliance on habits and even overconfidence. However, they too are only human and often behave in perplexing ways. So, with all this psychology involved, let’s look at some of the ways it shows itself in a high performing cybersecurity team like ours.

Flexibility

“I don't care how advanced your AI model is, it's human beings who can flexibly integrate data sources together – physical and digital,” says Quentyn. “People can make leaps of faith between different kinds of technology or data, whereas AI tools have to be trained.” This makes absolute sense as, right now, an AI can only work with the data it has available, whereas humans can hypothesise, think laterally and make quick judgement calls. We can swiftly pull lots of different information, in different formats, and consider them equally, which is something security-focused AI tools currently struggle to do.

Intuition

No, it’s not all guesswork, intuition can often be the presentation of pattern recognition, informed and shaped by lived experience. “And it can be powerful, even though it can be easy to dismiss out of hand,” says Quentyn. “But there are hundreds of examples where people have said something ‘just felt off’ and they turned out to be right.” However, he is also keen to point out that because everyone is different, it can sometimes be informed by another very human attribute: bias. “You have to be careful, of course. But even so, there is not an AI out there currently that can match human intuition when blended with good data, training and a pause for thought.”

Diversity

“Not all attackers are the same,” stresses Quentyn. Sounds obvious, but on the flip side it means that cybersecurity teams must reflect this too. “When building a team, it’s absolutely critical to have diversity across all sorts of factors – education, background, culture, location, likes, dislikes… if we’re trying to defend against attackers from all walks of life it just makes sense.” He gives an excellent example of a cyber-attack where obscure references to Dune by Frank Herbert were found in the code of a particularly destructive malware. This was well before the blockbuster movie franchise, so someone in the investigating team would have needed to be familiar with the novel. And, yes, this meant that someone’s love of sci-fi meant these key words were picked up and could be connected across different attacks, pooling intelligence.

Instinct

Intuition and instinct are often used interchangeably, but where intuition is a calculation, instinct is an impulse. While, on the face of it, it might seem irrational to act instinctively in a high-stakes situation, like a cyber-attack, the collective instinct of a team can be a formidable force. “When you have evidence and instinct together, that can be incredibly powerful,” says Quentyn. “For example, if a call needs to be made and you have all the data available to you, but it’s giving you no clear steer, then instinct really comes into play. When a whole team feels instinctively that one course of action should be taken over another, then do you need to trust it? I’d say so.”

Perception

People are unpredictable. Until they’re not. And, in cybersecurity, it can sometimes take just a slightly different approach or alternative view to understand just what is going on for an attacker. “More often than not, the puzzle you’re trying to solve is a human just doing human things.” Quentyn gives the example of an attack which kept stopping and starting, seemingly at random. “They launched the attack, then stopped for a couple of hours. Then there was a little bit of minor activity, then another stop before the bulk of the attack occurred a few hours later.” It was pointed out that this was actually a pattern – before work, lunchtime, then after work. And knowing this meant they could quickly pinpoint where in the world it was coming from.

Critical thinking

Deception, subtle irregularities, social engineering, technical exploits… the list is endless and the judgement calls are many. “Our daily work is the very essence of ‘human to human’,” explains Quentyn. “Basically, two people trying to work each other out, which is something as old as time itself.” It’s more than just analysis of what’s in front of you, it’s the sum total of everything above, bringing considered evaluation into the same space as gut feel, acting on multiple sources of information and making swift decisions, while drawing upon the experiences of the team to put a name and place to unusual activity. It even extends to the wider organisation, as cybersecurity specialists can put these skills to work in ways that encourage safer online behaviours across the board.

All in all, it's a far cry from the stereotype of the cybersecurity professional and, indeed, the entire concept of cybersecurity itself. The reality is, the results of your Google search should simply be lots of images of diverse teams, working together. Human to human.

Find out more about careers at Canon.