Human-Centric Security: Forcepoint’s Dr. Margaret Cunningham
Most discussions involving enterprise cybersecurity efforts focus on technical controls that protect users, systems and data from attacks and abuse. But often, successful security efforts come down to the human element of security efforts, or the understanding of what people do with the systems they use and why.
To better understand what human-centric security means, we recently spoke with Dr. Margaret Cunningham, principal research scientist for human behavior within Forcepoint’s global government and critical infrastructure group. Her focus in this role is on establishing a human-centric model for improving cybersecurity. Previously, Cunningham supported technology acquisition, research and development, operational testing and evaluation and integration for the U.S. Department of Homeland Security and U.S. Coast Guard.
Here is an edited version of our conversation:
SecurityBoulevard: Thank you for taking the time, Margaret. Can you tell us about your background, and how you came to your current role?
Dr. Margaret Cunningham: I landed at Forcepoint about four years ago. My background is not in security but in applied experimental psychology, which is just measuring human stuff in the wild instead of in a laboratory. Before I came to Forcepoint, I was working a little more closely on physical security and how different types of new technology impact behavior and performance. When I joined Forcepoint, I translated that into asking, “How can we best measure human behavior using technology organizations have?” and if we do that, what sense can we make of it? And when we figure that out, how does that impact security?
It’s been fun, and at the same time, it’s a huge challenge. I mostly just get to work with very smart people all the time, and I love that.
SB: That sounds like a huge challenge. Quantifying user behavior like that at scale must be something one could spend a lifetime on.
Cunningham: It’s funny because it’s not only quantifying behavior at scale but also doing it ethically and doing it with both the interest of the people and the organization at heart. That’s something that I take very seriously. It’s been one of my primary focuses when we think about, ‘What are we looking at? Do we need to? Why? Can we? Sure. Should we? No.’ We have these discussions all of the time because data is running rampant.
SB: How does user behavior affect enterprise security posture?
Cunningham: It’s pretty much everything to me. We have all these products that can show network issues, etc.; data leak prevention, firewalls—but we are finding that those tools aren’t giving us the full picture. It’s the human behavioral aspect that provides the context for what we see using traditional tools. Without that context, you can’t necessarily make better decisions on how to stop bad things from happening. In fact, you also might not really understand the root of the bad thing in the first place.
SB: And that lack of insight leaves people open to making all types of bad decisions and running with their own bias.
Cunningham: Yes. I have the luxury of working in a highly interdisciplinary team. We have counterintelligence, normal security folks, threat seekers, psychologists, computer scientists, physicists. It all serves as this beautiful counterpoint to being stuck in those biases. And it’s important, especially in a climate where we’re talking about diversity and inclusion and different types of interdisciplinary teamwork, that it’s not just lip service because it really serves a different purpose that isn’t always highlighted. It helps us de-bias our strategies, it helps us stay creative, and I would say that the complexity of cybersecurity issues means that our response and planning must be highly creative.
SB: This is a book-worthy topic. Setting malicious insiders aside, we see that many people bypass security controls because they’re trying to get their work done, or some people just don’t pay attention to what they’re doing, which increases risk. What are ways, behaviorally, that one can help get an organization to help itself reinforce positive behaviors?
Cunningham: There are two separate things here. We have people who are engaging in workarounds. I tend to refer to them as go-getters. They are going to get their job done, and they’re awesome. They can be your top performers, frankly. They will find a way to email the thing or share the thing, despite all your controls. And for people like that, we must better understand the types of rules people are breaking and whether they’re breaking the rules in a unique way or in a way that is sort of consistent across an organization.
Here’s an example of what I mean. Suppose you notice that 80% of your workforce breaks some rule about using USBs or uploading to cloud services. What that says is that you don’t have a bunch of malicious people who are leaking data: it says that there’s something about your policies or your security strategy that’s making it impossible for them to do their job. And we won’t know that unless we’re using some sort of behavioral analytics that’s global for the organization. In contrast, if you’re noticing that one group, or maybe a couple of people who work closely together, are breaking a weird, strange rule, then that’s much more suspect activity.
That’s one way we can concretely find people who are doing workarounds for positive reasons and people who are just breaking the rules because they’re up to no good. That depends on having a very clear understanding of your organizational policies and a very clear understanding of where all your stuff is and how people are behaving. It’s that intersection of data and people that are critical for the mistake makers. It’s funny. I think I just did a podcast called ‘We’re all the Stupid User Sometimes.’
SB: You are touching on why I get upset when security experts blame the user for being negligent when the failures are more about poorly designed systems.
Cunningham: This makes me bristle. First, I hate the phrase, negligent user. I think that is so dated. It’s as bad as 1980s shoulder pads. We’ve got to get over it. It’s ugly, and it’s driving me batty. And people ask me to chill out about it, and I just can’t. First, I’m not very chill. And they will argue that it’s the acceptable term. And whenever they make that argument, I ask: ‘How’s that working out for you?’
The reality is it’s not working out, so let’s shift the conversation. Really—it’s a finger-pointing issue. And you know what? It doesn’t make people happy to feel that they’re being blamed for something, and that sort of finger-pointing negative connotation that comes along with the word negligent is not going to help. It’s not. But the reverse is—this also means that both security software providers and organizations have to admit and accept that they own part of the responsibility for the outcome of people making mistakes. Frankly, we know people will make mistakes, and we can do a pretty good job of predicting the type of mistakes they’re going to make. So, if we can do that, how can we create a more error-tolerant system to protect against what happens when, inevitably, we make a mistake?
Sure, we’re not going to be able to accommodate everything that people want to do. Otherwise, everything’s gone willy-nilly. But the problem is that the idea of controlling people is a joke. We don’t control people. I can’t even control my dog. We’re not trainable, and we don’t change, for the most part. And if we do change, it’s often temporary. If that’s the situation, when we think about the boundaries that we want people to work within, we have to develop boundaries that allow people to maintain their personal habits.
SB: So, aside from looking for ways to improve the system, are there ways to encourage positive reinforcement? Or are there better approaches to deal with the go-getters or people who just stop paying attention and click on links as they come in?
Cunningham: People are goal-oriented and want to do the right thing, but we don’t know what we’re supposed to be doing when it comes to security. I mean, I might, because I focus on it; you might because it’s your career path, but most people aren’t thinking about whether or not they put the correct label on the footer of their document. They’re just not.
We can try to make our security goals much more visible to the people supporting these goals, who are the employees. One way to do that is to give people the rules and help them understand what they’re supposed to be doing. Suppose that’s a checklist for people with very specific roles, great. That’s a cognitive aid. It makes it so I don’t have to think about it. Those cognitive aids are used widely in all sorts of other industries.
But obviously, nothing is that simple. Even in this world where everybody is distributed, I don’t know why we aren’t more communicative about what we will never do and what we will always do. Like, a company is never going to ask you for your password. Okay, that seems obvious, but it’s not obvious since people seem to be giving their credentials out left and right to different people phishing across every which way; text messages, voice. I mean, it’s pretty wild.
Banks generally do a great job communicating what they won’t do. They make it clear that they will never ask for customers’ account numbers or credentials. But what do customers do if someone does ask? People don’t know. Who do they call? What’s the phone number? If they have to dig the phone number out of some weird organization intranet, chances are they are not going to make that effort.
