Once an issue that was chiefly confined to CIOs and information security specialists, recent ransomware attacks such as WannaCry2 and the ongoing onslaught of malware and ever-sophisticated hacks means that cybersecurity is a hot topic for us all, developers and companies alike. But, in the race to stay ahead, what we can often forget to think about is the ‘user’ and how they are impacting the whole cybercrime arena.
It’s a massive challenge to keep up the web and security, with many developers and CIOs constantly preparing for hacks and incidents such as OS getting infected and encrypted. In worst-case scenarios, companies and users are being held to cyber-ransom. Take the above-mentioned WannaCry2. In May of this year, it struck global companies such as Telefónica and, even closer to home, a HSE-funded facility in Wexford.
Increasingly, the issue of cybersecurity is linking up academics and developers to share ideas and insights. There are a plethora of conferences taking place around the globe to connect developers and offer a medium for them to present papers about how to pioneer secure systems in a rapidly diversifying cyber world.
In September, for instance, the IEEE will be hosting SecDev in Cambridge, Massachusetts as a forum for both developers and academics to share ideas on secure system development.
According to the IEEE, developers have valuable insights that can help inform academic research. Conversely, it believes that the research community can also benefit developers via its insights on areas such as code, tools and concepts.
Dr Andrew Power is one such academic who is helping inform developers about UX and design through his ongoing research into the psychology of user behaviour and systems.
A cybersecurity expert, Power is registrar at Institute of Art, Design and Technology (IADT) in Dún Laoghaire, Co Dublin.
Having originally qualified as an engineer, he is an active researcher in the areas of technology and society. In the field of cyberpsychology for instance, Power is co-author of Cybercrime: The Psychology of Online Offenders along with Dr Gráinne Kirwin (2013) as well as being a contributor to Cyberpsychology (2014).
With security threats becoming ever more sophisticated, what then are some of the biggest challenges facing developers in this hyper-connected age, and with the proliferation of data out there?
Developers have many technical issues to address when designing solutions and building products, explains Power. However, in struggle to keep up with the latest technology and the newest online threats, he says there is one constant in the security chain that is often overlooked – the user.
“An enormous amount of security breaches are not the result of a new ‘superbug’ but because a password was shared or leaked, a file from an unknown sender was opened, or a laptop was misplaced.”
Being able to unlock how people interact with technologies, often in ways not envisaged by the designers, is “key” to minimising these risks, he says.
Other critical factors include building systems in ways that make “good security behaviour simple and normative”.
“Understanding human vulnerabilities to persuasion, temptation, greed and even laziness is also vital to understanding how we fall prey to online scams which lead to systems failures.”
This work is partly technical but it has just as much to do with behavioural science and with good design, according to Power.
Interestingly, he says that disciplines such as Human Computer Interaction (HCI), user experience and Design (UX) and cyberpsychology are increasingly being embraced by companies that have traditionally been chiefly engineering focused.
So, is it vital, then, that developers are constantly upskilling, depending on their area of expertise, especially in mobile development?
“Yes. Computing used to be limited to computers! These computers tended to be in locked office buildings. Laptops made the internet mobile and, consequently, more vulnerable.”
Power points to the impact both mobile and the internet of things is having on security and risk factors.
“Mobile phones put the internet in our pocket and the internet of things has distributed connectivity, and thus risk, to an enormous and growing range of objects.”
Each new platform brings with it a new set of ‘human’ risks, he says.
“How will it be used, where, by whom? Can the same security/password protocols be used on a domestic appliance as on an office computer? Probably not …”
According to Power, anticipating and preparing for such human risks is only in part a technical problem, however.
“It is mostly a design problem and a question of understanding how we interact with the systems that surround us.”
In Part 2 of our interview with Andrew Power, we will look at ways that developers can keep up with the pace of security, as well as the future of education around secure system development. Watch this space!
Author: David Pepper
David is a recruitment professional who takes a consultative approach to finding and placing the best talent. He is an avid photographer and tech follower who loves to dabble in digital projects.