Human behaviour touted as key to plugging security gaps

Cybersecurity proponents are pointing to humans as the key to strengthening overall cybersecurity posture, touting the analysis of behavioural patterns as a way to identify abnormal and malicious intent.
Written by Eileen Yu, Senior Contributing Editor

With more devices coming online and technology changing rapidly, a more effective way of securing data may well be to monitor human behaviour.

Cybersecurity proponents such as Forcepoint and Mastercard are pointing to humans as the key to strengthening overall cybersecurity posture, touting the analysis of behavioural patterns as a way to identify abnormal, and potentially, malicious intent.

As the adoption of Internet of Things (IoT) took form, it would be increasingly challenging to protect against online threats, said Forcepoint CEO Matthew Moynahan. More and more businesses also were moving to the cloud and becoming more mobile and inter-connected. This meant traditional methods of building walled gardens and firewalls to protect corporate networks no longer made sense.

Technological innovation also was churning at rapid speed, making it difficult to keep up in terms of security, Moynahan said in an interview with ZDNet. "How do you secure a world where there's infinite number of attack points and extreme mobility? It's very difficult, so something has to change," he said.

While basic security hygiene encompassing, amongst others, antivirus tools and a patching regime, still were essential, the industry needed to relook at the way security worked in this new world, he noted.

Forcepoint believed the answer was in understanding human beings; figuring out who they were, how they behaved, and what they needed, and did not need, to perform work tasks specific to their role.

This would require analysing more than just a small sample dataset in order to establish more accurate assumptions of behaviour that seemed out of the ordinary. Banks would know, for instance, a US-based customer who had just used his credit card in Singapore might not necessarily be a victim of fraud if they were aware he was scheduled to have a business meeting in the Asian country.

Moynahan added that humans had habits and cadences, visiting certain favourite websites and even typing a certain way. If the various types of information could be associated with a certain individual, organisations then would more likely know his identity had been stolen if hackers used his credentials to carry out activities not normally linked to the compromised individual. "We would know because they would not behave like you," he said.

The industry was moving towards this need to wrap more context around data and how people went about their daily activities, he added, pointing to what Google had done with Maps and Amazon with Prime.

Mastercard, for one, has been looking to enhance its fraud detection capabilities through analysing human interactions.

Its acquisition of NuData would enable the payment company to use behavioural analysis, without disrupting customer experience, to determine the legitimacy of a transaction, said Ed McLaughlin, Mastercard's president of operations and technology. Such enhancements to fraud management was especially critical since more valid transactions today were being declined than fraud prevented, he told ZDNet on the sidelines of Mastercard Innovation Forum 2017 this week.

NuData's flagship offering, NuDetect, assessed users' interactions online and on their mobile devices to identify legitimate users from fraudulent ones. It analysed devices, locations, passive biometric, and behavioural signals to build a digital identity and establish a risk score to an individual consumer or transaction.

According to its website, it was projected to analyse 200 billion online interactions this year.

McLaughlin explained: "NuData specialises in behavioural analysis that incorporates the devices you use and how you use them to increase the certainty that you are indeed you." With the amount of data it analysed, the platform could deliver stronger predictive capabilities that surpassed what deterministic security systems could provide, he noted.

While the latter offered some level of confidence, such as through the use of biometrics and PINs, these still could be breached. In comparison, it would be more challenging to do the same with predictive data since it encompassed all behavioural patterns uniquely associated with that individual, he said.

Forcepoint, too, touted a "human point system" that enabled businesses to analyse interactions between employees and critical data, to understand the "normal rhythm" of user behaviour and flow of data within the organisation. This would help them identify and respond to potential security risks, Moynahan said.

Focusing on human behaviour and intent also would prove more effective as more IoT devices came online, pushing massive amounts of data that companies would find challenging to analyse and filter, he said.

However, while Mastercard heralded a seamlessly automated future where its customers would not even need to ask for the bill after a meal, a recent Worldpay study revealed that some in this region were uneasy about letting devices shop for them without prior consent.

Some 39 percent in Australia were uncomfortable about letting an IoT device pay for purchases without first getting their permission, while 18 percent in China expressed similar concerns. In addition, 55 percent of Singapore respondents wanted the option to approve a purchase before the device was permitted to place the order. Some 50 percent Australians would want established rules stipulating what IoT devices could buy, and when, while 18 percent rejected the idea of letting these devices do so under any circumstances.

Asked for his comments, McLaughlin said: "People want to be able to take advantage of automation, but at the same time, not feel like they're losing authority. As we move into frictionless commerce and subscription services...we want to provide the option of automation, but never the loss of control."

Editorial standards