The past few years have exposed a staggering amount of personal and financial consumer information while damaging the reputations of major brands.
The economic losses are significant. The average cost of a corporate breach was $11.7 million in 2017, up 23% from the previous year, according to a recent Accenture study.
Here’s the really bad news: 95% of all cybercrime results from human error, according to a 2014 IBM study. Despite the advanced security technologies available today—including nascent AI applications that can take matters out of human hands—most major hacks target vulnerabilities rooted in human behavior, not just those in systems and networks.
Most major hacks exploit vulnerabilities rooted in human behavior, not systems and networks.
Here are some typical human behaviors that play into the hands of cybercriminals, with tech solutions that organizations can deploy to strengthen their defenses.
Research has shown that waves of security warnings and the constancy of threats actually makes employees less likely to respond to them. In psychology, this pattern is known as habituation. For decades, therapists have been using habituation to treat phobias, according to Alex Blau, vice president at behavioral design firm ideas42.
In the wake of every high‑profile global attack, security pros generally rush to prevent the same thing from happening within their organizations—while often ignoring known threats such as critical patch upgrades. This is the result of availability bias: people tend to overemphasize the likelihood of something happening again, based on how easy it is to remember.
Most people never change the default security settings on their computers and don’t opt into extra security features such as simple encryption, even when they know it will protect their data from being stolen. This pattern has given IT departments headaches for decades.
Employees tend to model peer behavior. This phenomenon, called social proof, can significantly influence behavior, especially when trying to get users to embrace security hygiene practices that appear more abstract than real.
When employers train their employees, they may increase knowledge but rarely change behavior.
Data security training programs may increase employee knowledge, but they rarely change behavior. However, the chances of success rise sharply when training becomes a constant feedback system for users.
The promise of AI
A cybersecurity skills shortage is one reason why many are pinning their hopes on AI to help manage risk in concert with human intelligence. For example, MIT’s Computer Science and Artificial Intelligence Lab has developed an “adaptive cybersecurity platform” called AI2 that adapts and improves performance over time by combining machine learning tools with human security analysts.
AI2 sifts through tens of millions of log lines each day, flagging anything deemed suspicious. Analysts confirm or adjust the results and tag legitimate threats. Over time, AI2’s algorithms fine‑tune their monitoring, learn from mistakes, and get better at detecting breaches and reducing false positives. In early trials at MIT, AI2 has correctly predicted 85% of cyber attacks.
Truly effective solutions will come from platforms like AI2 that blend human and machine intelligence.
“You can only automate what you’re certain about, and there is still an enormous amount of uncertainty in cybersecurity,” says longtime security expert and author Bruce Schneier. “Automation has its place, but the focus needs to be on making people effective, not on replacing them.”