Dr. Arun Vishwanath on the People Problem of Cyber Security

Dr. Arun Vishwanath is a leading expert on the “people problem” of cyber security.

His research focuses on why people fall prey to social engineering attacks and on ways we can harness this understanding to improve organizational and national resilience to cyberattacks, and secure cyber space. In addition to studying the weakest link in enterprise security—users––Dr. Vishwanath also studies how various groups–-criminal syndicates, terrorist networks, hacktivists–-utilize cyber space to commit crime, spread mis-information, recruit operatives, and radicalize others.

Dr. Vishwanath is an alumnus of the Berkman Klein Center at Harvard University and also serves on a distinguished expert panel for the NSA’s Science of Security & Privacy directorate. His research has been widely cited and been featured on CNN, The Washington Post, Wired, USA Today, Politico, and other national and international news outlets. He is a sought after speaker and has presented his work in leading national and international forums to the principals of national security and law enforcement agencies around the world.

Many of his original ideas have led to new products, processes, and policies.

For instance, starting in December 2014, in CNN and other outlets, Dr Vishwanath called for the creation of 911-type system for reporting cyber breaches. Today, organizations in the US and abroad are working to build such systems.

In February 2015, in another CNN opinion piece, he called for a 5-star rating system for new apps and technologies, similar to the 5-star rating system we use to test the crash protections of new cars. In 2019, Consumer Reports launched a system to do exactly this.

In November 2017, he called for an open source breach reporting portal, where breach information was stored and disseminated, so people and companies knew of what information about them was compromised. In 2018, Mozilla Corp. introduced the Firefox monitor that is built to do this.

In January 2018, he wrote about how AI would detrimentally affect the American middle class, displacing truck drivers, retail workers, even local news reporters – almost 2 years before presidential candidate Andrew Yang made it his campaign’s central issue.

He presently serves as the CTO of Avant Research Group (ARG)—a Buffalo, New York based cyber security research and advisory firm—and also works as a Technologist, writing in the public interest to bring attention to cyber security problems and providing solutions to them.

What is the “people problem” of cybersecurity? What can we do about it?

The “people problem” is a phrase I heard in many different occasions when I met with IT managers (CISO, CSO, CIOs), many in leading research labs, national security establishments, and such. It’s a term that some of them used to describe their frustrations with users who keep doing things on their computers they shouldn’t that makes the enterprise vulnerable to cyber-attacks. While the frustration is valid, its source isn’t the user: it is actually from IT’s limited understanding of users.

Most in IT are recruited from engineering programs where there is little training on understanding the users’ motivations and cognitions. So, IT policies and practices end up getting in the way of many users’ work, and they find workarounds or do things because they have to get the job done. Then, they end up causing problems with data security, and the phrase, which began as a description, becomes prophetic.

Solving this problem requires IT to change its approach to users. This means understanding users and then developing solutions around them. We saw this in the 1970s when organizations that used to treat their employees as personnel changed their view of employees and began treating them as resources. It’s when organizational personnel departments became human resource departments. This wasn’t a trivial thing and, in many ways, led to an enormous increase in innovation and productivity that made the American workforce one of the most efficient in the world.

We also need to change our mindset about users. We need IT departments to stop thinking of people as users and computer operators but as “computing resourcers”—a source of potential innovation that use computing technology to achieve it.

Do you find most data breaches are a result of human error or because of software security gaps and other factors?

We have largely figured-out how to find security gaps in software and hardware. It is human error, forced and unforced, that remains hardest. It is this gap that is exploited by hackers and criminal elements when they steal data. Unforced errors come from baseline human thoughts, patterns, and behaviors, from not doing things right (such as not applying patches) to not knowing to do the right things (such as not knowing how to enable 2FA), to outright ignoring what is right. These are exploited by social engineers through spear phishing, text and phone spoofing, and pretexting. This causes forced errors. Almost every major breach in recent years, can be traced to some combination of such errors.

Can you share an example of a security weakness at a company you were able to help identify and the steps taken to resolve the issue?

I have helped numerous organizations understand who is at risk using a cyber risk assessment approach I have developed. It’s a quantification approach that provides a cyber risk score, what I call a Cyber Risk Index (CRI). Think of it like a financial credit scores for user cyber risk. I have used my approach to help organizations pinpoint the weakest links among their users, how much of a risk they, and more importantly, identify and explain why they are risk. This helps build defenses around users’ need instead of what we are presently doing, which is train everyone or prevent them all from doing something. I have helped organizations assess their users’ risk, track the CRI of their users, evaluate how well their training approaches are, and best of all, save on their cyber security costs by training only those who need it and in ways they need it.

When asked to evaluate a company’s IT security framework, what do you look at first? Why?

To be honest, I spend a good amount of time talking to the IT teams in the organization to understand their governance models. I look to see who is running the IT security department and their backgrounds. It tells you about their world view, as in how they see the role of IT, their own role, and that of the users in the organization. Next, I look at see how they approach their organization’s and their users’ security. In general, whenever I conduct a user risk assessment using my Cyber Risk Index method, I also evaluate the IT departments in the organization. It is always interesting to gauge how ready the IT team members are against cyber-attacks themselves. Most tend to think of IT security as something they are protected against, and are often surprised to learn their own risk scores and vulnerability levels.

What recommendations do you have for businesses to help protect against cybersecurity-related risks?

There are many, but among the most pivotal is to develop policies that are aligned with their biggest assets—their users. This is a far important point than people recognize. While in all other facets of organizations, we recognize that people are resources, in IT and cyber security we often see them as challenges.

Begin by assessing the cyber risk among your users. This is more than just blindly training or implementing technological security measures. Understand who is at risk, how, and why. Then go about developing programs, policies, practices, and perimeters around them. This is the only way to achieve cyber resilience. Finally, and perhaps most importantly, inform your users about their cyber risk–because it helps build accountability and spur individual responsibility.

Tell us about your path from starting as a professor in Buffalo, New York, to becoming a world-renowned technologist?

I was a tenured professor at the University at Buffalo (also called State University of New York at Buffalo) for close to two decades. My research identifying user issues in cyber security was already cutting-edge and led to engagements with a range of Silicon Valley companies and national security agencies around the world. But in 2016, defamatory allegations were brought against me by a faculty member and graduate student. After an arbitration, I was cleared of any wrongdoing, completely exonerated, and fully reinstated.

Upon the advice of counsel, I decided to sue the University at Buffalo and the individuals involved. Around this time, I also became Faculty Associate at Harvard University and this made me think about how I could make a bigger difference in the world of cyber security by influencing policy makers and security professionals. This led to serving as a technologist in the public interest and focusing on solving pressing problems in cyber security, rather than just pointing them out—which further enhanced the quality, value, and applicability of my work.