Shari Lawrence Pfleeger wrote the book on cyber security – or should we say “books.” The longtime researcher and expert has authored numerous textbooks on everything from software engineering, to the application of metrics in software development, to computer security. The head of research for the Institute for Information Infrastructure Protection (I3P) at Dartmouth College, Pfleeger says that many of the biggest challenges facing organizations in the realm of cyber security are social, and not technological.
In a telephone interview with Threatpost editor Paul Roberts, Pfleeger said that many security problems are rooted in human behavior – whether lax coding or sloppy and insecure user actions. As a consequence: organizations that rely on software would do well to delve into the realm of the social sciences to find ways to change the way people act, rather than investing in new technology to help shore up a weak foundation. Among the areas Pleeger says I3P is looking at are the persistence of effect with cyber security training. The world desperately needs improved methods for educating users about cyber security and reinforcing best practices. Once a year security training requirements, common at many organizations, don’t seem to do the trick, data suggests.
“Its much like the way we learn things when we take drivers ed in high school,” Pfleeger said. “Those courses had significant effects early on. But now, how many people remember things they learned in drivers ed? And if they remember it, how many apply it in their daily decisions?”
Pfleeger said research suggests that organizations need to take computer security out of the realm of the abstract and put everyday computer security decisions – such as whether to open a suspicious e-mail attachment – in terms that users understand, or in terms of the risk to their organization or community.
“Somehow we need to find the right balance between providing technology and managing users’ expectations about what that technology can do,” Pfleeger told Roberts.
Software development firms and their customers also need to provide incentives for secure development – not just feature development or on time delivery.
Listen to the rest of this intriguing interview by clicking on the link above to downnload the Threatpost podcast