The Praxis Blog - where theory meets praxis

Advancing Technology, Static Practices: The Cybersecurity Dilemma

Written by Thea Mannix | Jan 23, 2024 3:46:33 PM

I recently found myself having a discussion concerning one of the most common and basic examples of humans creating security risks, namely the types of applications that people tend to seek unsecure alternatives for. Organizations face a critical challenge when employees, seeking simplicity, opt for unvetted applications. This compromises security, leaving sensitive data exposed to potential breaches
My answer to the question of “worst customer” when it comes to applications is, without hesitation, PDF readers. The response that I often hear when I say this includes the following sentiments:

“That used to be the case but now PDF readers are installed as standard”

“Word can open PDFs now”. 

“People do not need to go looking for shadow alternatives anymore”.

Imagine my excitement to happen upon such a beautiful example of tech biased lenses informing human factors. Yes, PDF readers are installed as standard for the majority,  and are starting to resemble the “standardized expected” tool rather than the “expensive extra” tool. That being said, the PDF reader's former role as an expensive extra still leaves a lasting security legacy among users.

This has resulted in key features across different applications being far from standardized. Working on documents using multiple PDF readers across collaborators is a frustration I myself have experienced many times as an academic - comments in the wrong places, missing contributions across applications, edits not translating. Eventually, someone in the room advocates for their application and encourages others to use the same.

As a neuroscientist, I can tell you confidently of two things that your brain would rather not do that make this issue so pervasive: learn a new skill for no apparent reason (when my old skill is good enough), and task switching (switching how you use tools across a task, or changing task). This is not because we are stupid, it is because we are efficient. These tasks take large amounts of energy, and we have a biological imperative to conserve it. We are designed like this on purpose, a system developed over many years to become the evolutionary marvel that is your brain. To say that PDF readers are no longer an issue because the technological paywalls are now down is ignoring the human side of cybersecurity, which as we now know, is at least partially responsible for 95% of all security incidents (WEF Global Risk Report, 2022).

What can I do about shadow IT at my organization?

While it is my bet that PDF readers are the worst offenders generally, the fact is that unless you have asked employees, you don't know what people hate to use. To address this, I recommend a simple yet effective approach for cybersecurity professionals: survey employees on their application preferences. 

By asking them to rank commonly used applications on a 'likeability scale,' organizations can identify the least favored tools. These are the applications most likely to be substituted with unsecure alternatives - people do not seek alternatives for things they like to use. Understanding employee preferences can guide better security protocols and application choices, ultimately enhancing the organization's overall cybersecurity posture.

If you are in need of more recommendations to help improve your cybersecurity posture based on your organization's data, contact Praxis Security Labs today!

_____

An accomplished researcher and neuroscientist, Thea Mannix, PhD, is the Director of Research at Praxis Security Lab, where she uses her knowledge of neurobiology and social science to help further understanding of human factors in cyber security. Given the invaluable human-centered perspective that Thea brings to the industry, Thea is a popular speaker and is often requested to give presentations on cyberpsychology. 

You can request Thea Mannix (or the other Praxis Security Labs subject matter experts) to give a presentation to your organization or as a speaker at your next event by reaching out with our contact request page