Humans being unaware of cyber related risks – such as, for example, clicking on a link on which they shouldn’t be clicking and thus potentially installing malware on their own/company computer – is still one of the main attack vectors that criminals use in cyber related attacks. A research group from TalTech Centre for Digital Forensics and Cyber Security with CybExer Technologies is investigating methods that could help to improve the situation.
Professor for Cyber Security at TalTech, Olaf Manuel Maennel said that the topic is important because these problems appear often. “The newspapers are full of these stories basically every day. If the main vector is through “attacking the human”, could a better education, a better “cyber hygiene” help?”, he asked.
Maennel added an analogy with personal hygiene: “Humankind has also established norms and cultures (e.g. we wash our hands before eating). Don’t we need something similar for cyber space (e.g. don’t plug a USB stick that you found on the street into your computer)?”.
Different Risks for Different Audiences
So far, the project has called for a thorough literature research. Maennel said this is completed now and they have got a solid understanding of the various approaches and tools, and written a paper[1] on a definition of cyber hygiene. “Interestingly, cyber hygiene is being used in somewhat contradictory meanings by various authors, so we proposed a unifying definition”, he mentioned.
They have also taken a more practical approach and advised Cybexer, a local Estonian company, which offers cyber-hygiene related courses, about the research and recommended several ideas for them to consider in their products such as the use of micro-learnings or how to analyse feedback, for example.
“Cyber hygiene training does not have a simple solution to fit all situations. Different target audiences have different risks and need to be aware of different levels of cyber hygiene”, he explained, “so targeted training (e.g. based on micro-learning techniques), adaptive learning methods, and cultural aspects need to be taken into account when developing specific training solutions.”
As an example, he said that warning people about not opening dangerous documents may result in company employees not opening any documents anymore, not even the legitimate ones, and this can have a negative impact on productivity. “So, a fine balance of understanding, education and culture needs to be created”, he noted.
Shared Information Helps More People
There are still plenty of challenges ahead. For example, in ECSO WG 5[2], Maennel and his colleagues consider cyber ranges, awareness and education and professional training providers in our work.
Maennel expressed hope that by publishing the results of the research, this will enable others to improve their cyber hygiene related products and efforts. “For example, companies such as Cybexer might incorporate recommendations from our research or within ECSO to improve their products and training and thus in turn will lead to higher quality training that could impact millions of people and therefore may make cyberspace a safer place”, he concluded.
[1] The paper is published and presented at the NordSec conference in Oslo on 30th November 2018. The proceedings are online available: https://securitylab.no/nordsec18/proceedings.html
[2]Maennel is also working jointly with the European Cyber Security Organisation ECSO, and he is co-chairing working group 5.2 on Education & training. For example, they have identified and published a white paper on “Gaps in European Cyber Education and Professional Training”. This working group is also interested in cyber awareness related questions and issues on an European-level.
Written by Marii Kangur, Estonian Public Broadcasting radionews reporter
This article was funded by the European Regional Development Fund through Estonian Research Council.