I’ve recently started a cybersecurity course in university and got very engaged by an assignment where I was to make a list on how to reduce the human factor when dealing with cyber security, and wrote these thoughts.

I’d like to delve deeper into an idea within cybersecurity professionals that “a chain is only as strong as its weakest link” that often is pointingat the end-users as that weakest link (1). After the article “In Defence of the Human Factor“ (2), and following the latest discourse in the cybersec community, I’d like to challenge the idea of end-users being the weakest link.

Granted, end-users can be considered the weakest link when they intentionally share their passwords, leave the door open for outsiders to enter the premises, or act negligently in regards of (cyber) security. But there are also cases where the end users are exploited for other reasons than negligence:

  • The technology may be fit for purpose, but it’s not secure by design. One example is exploiting the functionality in HTML links by presenting one thing visually and the actual link pointing to another destination.
  • I’d argue that passwords, which is still a very common authentication method, is not very human friends nor particularly secure method for authentication. Yet it is abundant as an authentication method.
  • Sometimes an end user may do everything correctly, but still contributes to a breach because of there is a serious vulnerability in the software that s/he uses, or because of a bad configuration when setting up the software.

Even though humans are lazy by design and want to put as little effort than what is necessarily to get the job done, I’d argue that it is shifting the blame to “someone else” does not instill ownership of the issues at hand - which is that technology is often not resilient or robust enough. Also, lets not forget the principle of defence in depth, which purpose is to create several protective layers in case one fails. In the case of end users clicking phishing links, rather than all hell breaking loose, it should have been prevented by scanning incoming emails, scanning outgoing links, protecting documents with sensitive information through more sophisticated means or monitoring end-points for unusual patterns.

Talking about end-users as the “weakest link” does nothing but alienate the people we want on our side in this battle, and more seriously, might do more harm in good when there is a lot of vulnerabilities (and hasty) implementations of IT-solutions. The problem is not the end users, but perhaps that the organisational work culture doesn’t value security high enough, and that our fundamental technologies lacks security in their design and often has it patched on as a afterthought.