Cyber security debate shifts from technology to psychology

The kids aren't all right, says speaker at Westminster Cyber eForum

This week's Westminster UK Cyber Security Strategy eForum had a running theme of challenging the industry to tackle the so-called "human behaviour" element of cyber security, and included a pointed critique of "Generation Y" as the primary offenders.

In a debate on the need to understand the psychology of users, chairman and founder of security and compliance firm The Security Company, Martin Smith, argued that the more technology-savvy members of Generation Y are the worst offenders when it comes to failing to recognise security risks on the internet. Smith said that his generation needed to focus on better educating its children of the risks.

"You [Generation Y] behave differently. You have different values, and therefore we have to control you," said Smith. "Educate you, manage you differently. And we haven't moved on to accept that.

"I am Generation X. I am ignorant of computers," Smith added. "But you guys, the younger ones, you are digital natives. It is your first language. For me, for the rest of us in this room, computing is always going to be a second language, and therefore we're always going to be looking to you guys.

"You're different to us," Smith continued, "You thrive on immediate feedback. We don't. You're very idealistic. My kids are. You're confident in your ability to succeed. Much more than my generation. You're not willing to sacrifice as much for your job as baby boomers, and if you don't feel that your work is in line with your values, you don't succeed; you don't try."

Smith concluded that, due to these apparent differences in outlook, Generation X had "lost control" of the internet, and had to encourage Generation Y to wake up to the danger it faces online.

"We have to bring you with us. You also need to realise the risks, and the fact that the internet is such a playground for you, but it exposes you to so many long-term risks. There is no hiding place on the internet."

Cyber security debate shifts from technology to psychology

The kids aren't all right, says speaker at Westminster Cyber eForum

Other speakers, while recognising the importance of the behavioural side of cyber security, were less clear on how to move the debate forward.

"I'm always a bit of a sceptic about the human behaviour and education angle on cyber security," said technical director of BAE Systems Detica, Henry Harrison.

"I can give an example of an organisation that will remain nameless, which had a programme of internal awareness about cyber security, which included three waves of phishing tests [throughout the training process]. The difference in percentage of people who clicked on these links was exactly zero; it had absolutely no effect on anybody.

"I think the reality is that it's too difficult to understand what the risks are," Harrison continued. "The fact is that professionals don't understand what the risks are, and until our IT systems, that we expect people to use, help them to understand the risk environments in which they're working, it's going to be impossible."

Head of information security for Network Rail, Peter Gibbons, suggested that generations to come would already be so familiar with the internet they will instinctively "see the difference between a secure and insecure place on the internet".

Ex-head of GCHQ London, John Bassett, provided a conclusion of sorts on a day that seemed more about agreeing the nature of concerns than hitting on answers:

"We're quite good at technical solutions," said Basset. "But understanding the human behavioural piece of cyberspace we have much less to report back. It's all about people, really.

"And we're trying to do something about getting together academics in social sciences, computer science of course, and behavioural science in Oxford next month, locking them in a room, and not letting them out until they can talk to each other."