It’s prediction season again, and I bet the majority of those predictions leave out a core consideration in cybersecurity—the Human Element. This past year, I had the privilege of participating in the RSAC Program Committee for the Human Element track. It was great to see a wide range of submission topics as well as some growing maturity when it comes to integrating the often-overlooked human dimension in our industry. I’m excited to share the dominant trends as they pertain to this track and highlight what I believe to be an evolution toward approaching cybersecurity through a socio-technical lens.
So Last Year…
For so long, cybersecurity has leaned upon the ‘users are the weakest link’ trope, which in turn has limited security-related advances in human-computer interaction. However, as Martijn Grooten has concisely summarized, humans are features, not bugs. Based on the range of submissions this year, this notion is gaining traction, with the human element moving beyond a buzzword and gaining greater research maturity. There is decreasingly the intrinsic need for justifying why the human element matters. Instead we are progressing into some impactful research areas with significant societal impact—a welcome change. As this year’s submissions illustrate, this shift opens up a range of exciting, applied research areas.
2020 Dominant Trends
Industry introspection: Burnout was a popular topic as many considered its long-term effects on the security workforce. It is a concern that has been gaining traction for several years, but the increase in screen time and a never-off workday that many encountered with the move to a distributed workforce has elevated these concerns. Given the rise in burnout across industries, it will be important to identify those factors that are unique to security and distinct from those that are more ubiquitous.
Organizational and communication challenges that impact security: These range from communications as a core component for incident response to CISO/Human Resources collaboration for crafting security cultures. In fact, there were a range of submissions focused on building security culture, with a focus on the people and processes, and how they use technology.
Information manipulation and its impact: As in previous years, the latest phishing attempts and examples contributed significantly to these submissions. This is to be expected given the scope of the ongoing challenge. However, there were also several submissions on disinformation campaigns and their security impact. On the one hand, this is not surprising given the widespread impact of these campaigns from many of the same threat actors. On the other hand, when I gave a talk in 2017 on the integration of cyberattacks and disinformation, there was a debate among audience members whether disinformation was something the cybersecurity community should address. This fortunately seems to be resolved, as our community can and should play a significant role in addressing this enormous societal challenge.
On the Cusp: Emerging Trends
Looking ahead, there are a few additional themes that are gaining traction and perhaps portend to growing themes into 2021. While these topics were not addressed as frequently as those mentioned above, these merit attention and may be a harbinger of growing research areas into 2021. Specifically, these areas focus on human-computer interaction and viewing cybersecurity through a socio-technical lens.
Usability, user adoption and user experience: The perpetual frustration with passwords is only one of many areas where the growth of usability research is having an impact. Whether it’s making advanced analytics more accessible or creating security by design that does not overly burden users, this is an area to keep an eye on in 2021.
Acknowledging threat model pitfalls: There is a growing acknowledgement that for too many, their threat model includes acquaintances, colleagues or intimate partners. With so many exploit kits and malware openly available, several submissions addressed the growing risk of abuse and misuse targeting individuals or groups. From stalkerware, to malware campaigns targeting specific communities, to online harassment, there unfortunately is no shortage of areas where additional cybersecurity research and analysis can have a significant impact.
Shift from anecdotal to more scientific, rigorous and data-driven analyses: While the firsthand, personal experiences are compelling and help raise awareness, it’s exciting to see a wave of survey, comparative and quantitative research submissions focused on a broad range of cybersecurity topics. These evidence-based analyses—from a range of disciplines—have the potential to offer novel insights and approaches to the ever-growing range of cybersecurity challenges.
As we kick off 2021, I am optimistic that the Human Element has moved beyond a buzzword and toward applied and operational solutions. We are just scratching the surface on how impactful this research can be for cybersecurity and for society. Based on the themes from this year’s submissions, there is both growing interest and a broader impact when framing cybersecurity strategies and policies through a socio-technical lens. I look forward to following these research areas, and how individuals and organizations can apply their insights for greater resiliency and security into the year ahead.