A human approach to cybersecurity: interview with Isabella Corradini, italian cyber psychologist

Cybersecurity is often associated with IT engineers. You deal with issues often considered “minor” but, actually, they are at the core of security. Can you please elaborate on your vision of the cybersecurity process?

Cybersecurity is generally considered a matter for experts in IT security. When it comes to dealing with the issue these professionals are certainly needed, as it is important to understand the technical elements in cyber incidents. But there are other aspects often neglected, such as those related to the “human factor”: those factors are not to be considered marginal, since even the experts in cyber security agree that humans are the weakest link in security. In fact, many cyberattacks are successful precisely because they exploit human vulnerabilities. This is where a different set of competences comes into play and a more holistic approach is required to analyse human vulnerabilities. At the end of the day we are talking about behaviours, not computers. Because of my professional background and experience, I always say, “I deal with people rather than machines”. In particular I study the interaction between humans and machines from a behavioural viewpoint in relation to security.

Can you give us some examples?

A lot of people publish personal information on social networks, thinking that, after all, this information is not relevant. But this information can be actually exploited by cybercriminals to achieve their goals. Other examples: the use of the same weak password across several accounts; the never-ending habit of opening phishing emails containing malware. Why is phishing still working? For one simple reason: this technique is based on well-known techniques that leverage human characteristics. We talk about social engineering, that is, being able to convince someone to believe something different from reality, manipulating the users’ perception and encouraging them to take dangerous actions, such as clicking on a malicious link or an attachment or providing useful information, all for the benefit of those who use these strategies. Not just emails can be a problem; there are also social network posts that, disguised as ads, hide malicious code. These posts rely on psychological tactics:  when messages are attractive, people can fall into the trap, even just for curiosity. Phishing emails are just an example of the various forms of social engineering. In fact, it can be applied with different levels of sophistication towards people working within organizations with the purpose of obtaining information for industrial espionage.

You have a long experience working in security, but also in safety and physical security. Is this experience useful to deal with cyber issues?

First of all, I would like to say that I do not really like the word “cyber”: using this prefix cyber we’re being led to believe that there is not a physical dimension, but that’s not right. Pc and smartphones are technical tools, but behind them there is always a human being who can decide to use them in a positive or negative way. And the consequences of their use concern people and organizations.

In any case, my experience has covered many fields and sectors regarding security, I might say at 360 degrees. I started dealing with safety (health and safety in the workplace), then I worked in physical security for banks, and finally in cybersecurity. But there is a common denominator that runs across all those experiences: the study of human behaviour, so as to design tailored training activities to increase awareness of security.

So, how important are technological solutions?

They are fundamental, but they can’t solve the problem as a one-fit-all solution. Whenit comes to cybersecurity we are dealing with a complex scenario and it will be even more so in the future due to the growth of the Internet of Things (IoT) and the Internet of Everything (IoE). That’s why we must work harder to increase awareness in the cyber security sphere. To reach this goal it is important to involve all the citizens in the process: they are (and we are) the people who ultimately use technologies in our daily life. We have just realized that the separation line between private sphere and business has vanished, and another problem is the mixing of private and business information exchanged on the same device. Obviously, the culture of security must be an integral part of an extended and articulated strategy that encompasses, inter alia, the development of public-private partnerships, the sharing of common experiences and capabilities, researching and targeted investments.

You used the term “digital hygiene” to talk about security education. Can you explain it?

Yes, I used this expression in an article written in collaboration with Prof. Nardelli for the “People & Tech” section in Key4biz magazine. We suggested the adoption of some “hygiene rules” in the use of the Net and computer tools, in the same way that we use it to prevent disease. Let’s think about handwashing and its extraordinary effects in preventing the spread of diseases: a similar principle can be applied in other contexts, too. So, for example, referring to computer security, if I do not know the origin of a USB stick, why should I put it in my pc? This is precisely the point: a lot of people underestimate the risks and opportunities used by criminals.

Should Cyber security education start early at schools?

Yes, I think so. But it’s necessary to do it in a smart way. If you want to teach people to use information technology properly, first of all they have to understand how it works.

I am working on the Italian project “Programma il Futuro”, realized by MIUR (Ministry of Education, University and Research) in collaboration with CINI (National Interuniversity Consortium for Informatics): the purpose of the program is to spread the knowledge of the scientific basis that rule informatics in a context of play.

This is not a project in the field of security, but the key message is particularly important because it aims at stimulating children to play an active role with technology rather than being passive consumers. This way, they can become more confident within the technological environment and enhance their awareness of the risks we are all exposed to – with different levels of consciousness – in this changing digital society.