Some may remember the popular phrase, “You are the weakest link. Goodbye!” from the game show that debuted twenty years ago. This notion persists within our community, with a tendency to blame humans as the weakest link when justifying security incidents and vulnerabilities. In turn, this often shifts responsibility onto the user and away from the innovation required to craft secure technology for humans.
As Martijn Grooten aptly noted, humans are features, not bugs. Based on this year’s submissions, this notion is gaining traction and has very exciting implications. This year’s submissions were divided between those that continued to focus on identifying a problem—that is, identifying human fallibility as a root cause of security incidents—and those that took that notion as a foundational characteristic and explored solutions that integrate human fallibility.
By switching the script and approaching humans as features, we open up an endless range of new solutions and greater security at the intersection of humans and technology. If this year’s submissions are a leading indicator, we are in a transitional period, with new and exciting approaches that are changing how we think about the human element.
On the one hand, there was a continued emphasis on those core challenges that occur exactly at the intersection of humans and computer interaction. Phishing received significant attention, with the focus largely on its evolution over time, including as a mechanism for delivering ransomware. In fact, there were numerous submissions on the interplay of ransomware and phishing and the massive damage incurred by deploying them.
Similarly, there were numerous submissions on insider threats, with a focus on detection. In some cases, this included the integration of quantitative behavioral analyses for detection, but it was not limited only to insider threats. There was a big jump in data-driven analyses that explore human behavior and its impact on security. Leaning on the behavioral and social sciences, the uptick in the introduction of new data sets and analyses that explore human behavior and security was significant—whether the attackers’ or defenders’ perspective. As we introduce these kinds of new data sets and build upon the learnings from a range of human-focused disciplines, we will better understand how the human element impacts security and customize organizational and technology solutions accordingly, ranging from burnout and mental health to how incentives alter the risk calculus of both defenders and attackers.
Many of these insights could help inform the next major submissions theme: DIY programs. There were numerous submissions offering case studies and lessons learned in building a range of programs or organizational shifts, including SOCs, security culture, cyber ranges and purple teams. Importantly, several of these were geared toward doing more with less, with an emphasis on making accessible programs that largely have been inaccessible to those with fewer resources. This is a welcome trend. It is an effective way to share lessons learned while also fostering greater collaboration by sharing the blueprint so others can replicate their own version of these programs with customization based on their own circumstances.
Finally, usability continued to garner some attention. While there were fewer submissions this year on usability, it is still an optimistic sign that user experience and usability are becoming entrenched within the community. Usable security isn’t quite trending, but it isn’t going away, and we’re excited to continue to include new ideas in usable security in this track.
Over the past year, we have been reminded again and again that the only constant is change. This is especially true for the human element track. We saw great diversity in themes, solutions and speakers, with a common emphasis on solidifying the human element as core to security. This diversity is also driving the human element into impactful new areas while also introducing new ideas and solutions to the most persistent challenges. As we look at the enormous shifts underway—both in the security community and across the globe—we are certain the human element has finally garnered not just a seat at the table but is increasingly viewed as an essential contributor to tackling current and future risks, disruptions and challenges.