Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Shay Colson
Shay Colson
Connect Directly
E-Mail vvv

Empathy: The Next Killer App for Cybersecurity?

The toughest security problems involve people not technology. Here's how to motivate your frontline employees all the way from the service desk to the corner office.

Empathy is not often associated with cybersecurity. Former Facebook chief security officer Alex Stamos made reference to this idea during his 2017 Blackhat Conference keynote, noting that "we have a real inability to put ourselves in the shoes of the people we are trying to protect," and encouraging security professionals to "have empathy for the people that use the technologies we build."

Unfortunately, as Stamos astutely noted, both security and software professionals tend to approach problem solving with an eye toward problems that are glamorous, complex, or sexy rather than ones that are most common or affect the largest number of users.

In reality, those with the most direct exposure to serious cybersecurity challenges are also the least prepared to handle them. Think of the frontline employees who are bombarded with phishing attacks, software updates, and deadlines around the work they're trying to accomplish. Or consider organizational executive leadership and boards, who often struggle to understand the mechanics and potential impact of today's cyber-risks.

Cybersecurity practitioners should heed Stamos' advice and work hard to empathize with "the people that use the technologies we build." Technology, ultimately, should serve those who use it and empower them to achieve more than they otherwise could. Empathic approaches to technology, people, and organizational processes are critical in building operations that are both secure and sustainable. Below are three specific examples where applying empathy can enhance security.

Third-Party Risk
In recent years, third-party risk has become a pressing concern. Whether it is the torrid tale of Target's HVAC vendor or the NY Department of Financial Services Cybersecurity Requirements, third-party risk is under the microscope like never before. Empathy goes a long way toward giving security teams a deeper understanding of third-party risk because the risk hinges on both the security posture of the third party and the relationship with the external firm and service provided. It is important for cyber professionals to remember that every third-party engagement is chosen for a business reason, which must also be accounted for in the overall risk analysis.

For example, beyond the standard approach of asking what organizational data the third-party has, we must understand how critical these resources are to business operations. Does your organization have a plan to replace their functionality on short notice? What other elements of the relationship are at play (such as strategic partnerships, regulatory drivers, etc.)?

An approach that is exclusively technology-focused will almost certainly miss important elements that must be accounted for. Empathy helps round out the risk assessment and allow a more holistic risk-based decision to be made.

Phishing and Social Engineering Attacks
Business email compromise —  the term for fraudulent emails designed to get corporate financial custodians to send money to bad actors under the guise of helping the CEO —  is fundamentally an empathy issue. Attackers are leveraging psychological and organizational weaknesses to the tune of about $12.5 billion in profit. Adding empathy helps solve this security challenge in two specific ways involving policy and processes:

An open-door policy from executive leadership encourages employees to approach executives directly any time something doesn't feel right, or they want to check on the legitimacy of a request. This policy has the added benefit of generating interaction between leaders and engaged and aware employees.

A business process requiring confirmation with the CFO either in-person or via direct-dialed voice for any transaction over a certain threshold should also be encouraged. Instead of trying to respond as fast as possible for fear of looking inattentive, this practice would motivate employees  to double-check such a request in a way that is difficult to spoof.

Penetration Testing
Penetration testing stands out as an example where technology solutions can be immensely enhanced by empathy. There are many software tools and platforms that perform automated scans, one-click exploits or other similar functionality. Indeed, utilizing a pre-configured penetration testing tool like Burp or Nessus is table stakes in 2018, and most organizations should already be performing this level of self-analysis.

A human-centered approach to this problem looks more like BugCrowd or HackerOne. According to a recent report from HackerOne, the humans powering their platform discovered and reported over 72,000 vulnerabilities (as of May 2018), with more than 27,000 of those discovered and resolved within the last year alone. While there's no doubt that these hackers are using technology tools to help them find vulnerabilities, it is the human element that creates effective penetration testing practices at scale.

Ultimately, the next "killer app" for cybersecurity won't be a matter of doing more, faster. Instead, we must empower humans to make better decisions — including those at the front desk all the way up to those in the corner office. The most effective thing we can do as security professionals is double down on the human element and develop empathetic solutions to these fundamentally human problems.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Shay Colson, CISSP, senior manager, CyberClarity360, joined Duff & Phelps from the US Department of the Treasury to lead the assessment team for CyberClarity360. He has over a decade of experience in cybersecurity and information assurance, with a focus on designing and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
2/7/2019 | 8:58:37 AM
Empathy is important, but...
Interesting read Shay, but I'd like to offer a bit of a contrarian point of view - you summarized by writing "Ultimately, the next "killer app" for cybersecurity won't be a matter of doing more, faster. Instead, we must empower humans to make better decisions — including those at the front desk all the way up to those in the corner office."
I submit to you that training and educating users so that they always make the right decision borders on utopia. It's sounds like a "checklist security strategy" and we all know how well that works.  It's enough for example that one URL slips through the mental process, and WHAM...

I would offer that the concept should be not empowering humans here, but rather eliminating them from the equation.  In other words isolating  users from the risk vectors entirely if possible, rather than warning them abut them. 

An example - complete Remote Browser isolation, rather than training users on how to identify malicious site/links/phishing attempts etc.

Makes sense?
User Rank: Apprentice
11/21/2018 | 4:35:42 AM
Re: Interesting article on Emphathy
User Rank: Author
11/16/2018 | 4:04:52 PM
Re: Interesting article on Emphathy
Todd - 

Great questions and discussion here. Thanks for reading and for continuing to engage.

I think you setup some potential answers in your own response here - it comes back to a human to human engagement. To your point on why insider threats manifest, those are all things that can be overcome by businesses through human connection. If people need validation, recognition, or respect, that's something that leadership can either actively provide or decide that the employee doesn't fit and take a different direction.

If the needs are external (financial, family issues, etc.) - employers can go a long way towards making meaningful accommodations in that space, as well. Unlikely that they can resolve them entirely, but a little empathy here goes a long way.

Finally, to your first point about the front-line, heads-down workers who either don't see security as their responsibility or who don't feel empowered to act, that's exactly the point of the article. Companies who encourage a culture of risk ownership, high engagement, low levels of fear about making a mistake or speaking up will be able to scale the value of their human resources much more than those who can't. I would offer that in an organization where a junior accounting person feels they can't raise an issue when something doesn't look right (or after they've clicked and realized it wasn't right), the fault rests on the leadership and their culture rather than the employee or their cybersecurity training.

Business is a team sport, and if we can't get everyone on the team to play together, there's no way that we're going to make any progress.


User Rank: Ninja
11/15/2018 | 12:45:50 PM
Interesting article on Emphathy
→  it is the human element that creates effective penetration testing practices at scale.

I am just curious, how do you go about improving the human element when employees don't really seem to get or understand cybersecurity. They think if they keep their head down and remain quiet, then they won't draw any attention to themselves.

I will give you an example, if someone is working with their head down and they are in accounting. They click on a link and the link says that they owe money to a vendor. The email came from the vendor but it was a phishing attack (the person's email account list was exposed to the hacker) where the pdf and link to update the banking information caused the person from accouting to act. Now this person has been trained for over 20 yrs in the area of security from this organization but thought this was a valid transaction. The amount of money from a realistic perspective may not have been alot, but this still happened.

To a trained engineer, they would have caught the mispelling of the name, the dns name not being corect or the address and pdf information being somewhat off.

But to the regular joe, this seemed reasonable. I am not sure if we can totally protect against this type of attack. I do agree there are certain things we need to do in order to mitigate the attacks but within a group of people that could range from 1K - 1M in number, with different skill sets, then I am not sure how you can defend against this type of attack. Threre needs to be some sort of AI/ML (Machine Learning) integration that assists the user in making the right decision because hacks continue to take place everyday even with controls and policies in place.

There is another discussion that could piggy back off of this discussion, the gap b/t the "haves" and "have nots". At the end of the day, people steal for three reasons, for political, economic and/or respect (just to show that they could do it). What we need to focus on is the psychological aspects of our society, there is an intrinsic problem with the way we think, because everyone has a breaking point and if pushed hard enough, every person will go down that path. Remember, for some people, it may not be about money, it could be that they need a specific drug for a parent or loved one, a child is suffereing or does not get into the school of choice.

Just remember, our society is delicate and if it is swayed one way or the other could cause catastrophic wave that effects everyone, the deep problem is not the hack, it is the way the way we think and how we think that needs to change.


A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.