Computers are not like bread toasters or microwave ovens. They are like children, and more specifically, like toddlers.
Like how toddlers need to be protected from “stranger danger”, digital systems need protection from “cyber stranger danger”. And both of them – toddlers and digital systems – need us for their protection, to watch out for them.
Like how toddlers are prone to physical injury from tumbles and falls, computers too are prone to technical accidents – data loss due to storage corruption, hardware failure and such. But there is also the other type of danger – stranger danger. Toddlers need to be protected from those with malicious intents, anti-social elements, and exposure to age-inappropriate situations. Following suit, digital systems need to be protected from cyberattackers operating with various intentions. While lollies, ice creams, toys, stories and impersonating a relative constitute some props and techniques used against toddlers, phishing emails and malicious-intention advertisements are used against the human users of digital systems. The goal of such emails and ads is to get the human user to run bad code on their machine or divulge sensitive account credentials or data.
Digital systems are not like independently capable adults. They are like toddlers. Like child protection laws, child safety and welfare policies, technical solutions and controls provide one arm/type of defence for digital systems. What’s the second arm of defence and protection? How do we manage to keep toddlers safe from stranger danger and other such dangers? How do we keep them safe, generally? By practising watchfulness. Security Education, Training, and Awareness is the cyber equivalent of that watchfulness.
But, such SETA efforts are often reported to be ineffective, and those who are the receivers of such training often find it painful, annoying, boring, and a nuisance. There is one single and simple thing that could help solve the effectiveness problem of security education, training, and awareness efforts. It is to acknowledge the fact that digital computer-based systems are inherently vulnerable systems. They are easily accessible and modifiable code-execution machines. They can run good code and bad code with equal ease.
Digital systems carry a wide variety of inherent vulnerabilities. They are not the all-knowing, all-powerful, perfect machines that they are typically portrayed to be. They require lots of care and attention to be kept safe. In the case of human development, through the process of maturation, adults develop the ability to keep themselves safe, make informed decisions, manage risks, and respond to situations with the faculties of intelligence, memory, perception etc. Digital computer systems have not yet reached such a state of maturity. Since their programmable surface is large and easily accessible, they remain highly exposed to attacks.
Continue reading “Computers are not microwaves, and humans are not the weakest links in cybersecurity.”