"How User Experience and Behavioural Science Can Guide Smart Cybersecurity"
Human error was responsible for 82 percent of cybersecurity breaches in the last year. For example, the Colonial Pipeline ransomware attack that brought down the largest fuel pipeline in the US and caused shortages resulted from a compromised password and password reuse. JBS, the world's largest meat producer, was hacked because of a Qbot malware infection believed to have spread via a phishing email. Hackers are subverting detection and carrying out social engineering attacks using technology advancements that defenders use to protect users, such as Machine Learning (ML) and Artificial Intelligence (AI). Today's phishing attacks are increasingly targeted and designed to evade traditional email detection methods. Attackers use AI to perform large-scale reconnaissance from social media profiles, replicate trusted contacts' communication styles, and create convincing deepfake audio or video messages for use in ransomware or spear phishing attacks. The three-dimensional environment of the metaverse may also make such social engineering methods more effective. This means that people must be more empowered and informed than ever before in order to identify and respond to new threats. We live in a digital age in which the average person spends six or more hours per day online, has ten connected devices in the home, and has at least 100 online accounts. Therefore, governments, private sector players, and educational institutions must all invest in citizen education. The Estonian government's cyber education model can serve as a reference, with investments in education and training programs made in collaboration with academia and the private sector. In order to empower people to take more responsibility, the government has focused on training all citizens, from informing the elderly about cybersecurity to teaching kindergarten students how to code. In addition, teenagers have been taught how to run security checks on devices belonging to their parents and family members. Private sector organizations should make cyber awareness and training materials available to both customers and non-customers in order to benefit society as a whole. This article continues to discuss the need for a more holistic approach to cybersecurity that considers human behavior.