While the planet waits with bated breath for the start of the new recession, the current economic crisis caused by the COVID19 outbreak also creates a number of important and unique opportunities. One of such opportunities is to better understand human behaviour in the presence of cyber risks. On the one hand, it might seem that waiting for the situation to "go back to normal" is a dominant strategy. Yet, on the other hand, quarantine conditions put many systems, including cyber security systems to the test, which means that many businesses can use the current crisis as a chance to do a number of interesting research projects.
Human Factor in Cyber Security
For many years, cybersecurity was viewed as a technical problem. Yet, the rapid increase in the social engineering attacks (targeting human psychology rather than computer systems) gradually led to an understanding that cyber security and cyber defence (especially for business organisations) can only be built with human behaviour in mind.
When thinking about cybersecurity as a behavioural science, it is necessary to consider (i) behaviour of the staff, customers or the general public (e.g., users in the context of cyber crime) and (ii) behaviour of adversaries (e.g., cyber criminals in the context of cyber crime). For example, people might be more likely to respond to some social engineering stimuli (e.g., phishing) compared to others (e.g., ransomware). At the same time, adversaries are more likely to strike easy targets, e.g., targets which take less time to attack, compared to others which require longer and more elaborate preparation.
Furthermore, it is not only important to consider the general behavioural patterns of both groups (i) and (ii), but also to understand how each group can be behaviourally segmented to better assess the risk of an adversarial act. For example, different people may exhibit different propensities to become victims of cybercrime. Equally, there might be significant heterogeneity in adversaries’ behaviour dependent on their motivation.
In order to assess the risk of a cyber attack, traditional risk management tools are usually applied. These tools assess risks as a combination of potential impact (what could the attack achieve?) and likelihood (what is the probability for an attack to take place?). However, these tools fail to take into account behavioural aspects of the problem from both the adversarial side and the victims’ side. Yet, the main issue is that we usually do not have enough behavioural data to calculate historical probabilities of success for various cyber threats/failure of cyber security policies and measures in order to better diagnose, anticipate and even alleviate the risk of attacks.
Unique Experimental Opportunity
One context, which is very hard to work with from the cyber security perspective is learning, understanding, and, subsequently, forecasting risks and risk susceptibility to threats, related to working from home in organisations, where working from home is not a part of the standard culture. Let us, for example, consider large "traditional" banks, where the majority of staff works in company's offices. Considering that very few people have an opportunity to work from home in such organisations under normal circumstances, data on cyber security threats, catalysed by working from home practices, are scarce and noisy. Therefore, many compliance policies are built on assumptions that working from home is, generally, less safe and secure compared to working in the office. But is that really so?
It is highly likely that there is a considerable set of tasks, contexts, and situations, when working from home may offer significant benefits. Yet, at the same time, these tasks, contexts and situations executed or experienced at home are not more risky than those experienced in the office. This may be the case not only for specific tasks, contexts or situations, but also for groups of staff. For example, it might be that for a whole range of teams, working from home is a dominant strategy (considering these teams' cyber risk profiles). As a result, allowing such teams to work from home will create opportunities for people with dependants to have more flexible schedules and, potentially, increase the wellbeing of these employees as they would be less likely to compromise their productivity levels or consider career breaks. While all this might be the case, currently, we do not know this for a fact, as we simply do not have enough data to conduct this type of analysis and make these conclusions.
Yet, the current quarantine measures offer us unique experimental opportunities to measure cyber security risks associated with staff working from home. Not only can we do a meaningful analysis of staff cyber risk attitudes using specific groups of employees, but we can now do comprehensive studies on whether and to what extent attitudes towards cyber risks of all staff change once they start working from home. Such studies will allow us to formulate long-term strategic cyber security plans, as after quarantine measures are relaxed or removed, we will have very rich datasets on cyber threats associated with working from home (such as, e.g., threats, associated with video conferencing, remote connectivity, or phishing). Hence, we will be able to compare and contrast insights obtained from the analysis of these datasets with insights obtained from datasets collected under "business as usual".
In the current uncertain climate, many organisations, where office work is the norm make a decision to freeze on-going research projects looking into human aspects of cyber security. Yet, this represents a missed opportunity as now is the perfect time to investigate how cyber security risks as well as staff cyber risk attitudes are different when they work from home compared to when they work from the office. While there are many reasons driving this decision (including the necessity to cut costs amid the forthcoming economic crisis), if we consider the potential benefits of analysing the current state of the world for formulating the future cyber security strategy, we will find that cutting research budgets now is probably not very wise.