An article review of Hacking Humans? Social Engineering and the Construction of the “Deficient User” in Cybersecurity Discourses
https://journals-sagepub-com.proxy.lib.odu.edu/doi/full/10.1177/0162243921992844
The article I have chosen for my review strongly revolves around the conversation between the knowledgeable and the unknowledgeable as it pertains to technological or scientific literacy, in this instance cybersecurity. Based on the topics covered in class, the article is about human factors, group culture, and victim precipitation. Also, the authors state that social engineering is the leading reason for cyber-attacks and is the catalyst for the widening gap between the experts and the users. The summary of the article can be distilled into redefining the culture, roles, and responsibilities of individual/collective security.
Additionally, while there is no direct statement regarding marginalized groups, the victims of social engineering and attacks were generally “entry level workers.” A logical claim can be made that entry level jobs coincide with lower expertise of a given field, overall education, or socioeconomic status; all of which have been known to disproportionately affect people of marginalized groups.
The divide between the experts and the users is becoming more pronounced and the effects of training and education can only address so much. With training and education, the experts have increased their use of technological terms and have left behind the lay person with the expectation that it is up to them to understand the jargon of today’s technological environment. The article calls this a, “moral obligation to become scientific literate and lacking such literacy is a moral problem.” A common phrase that is used by cybersecurity and IT professionals are that “People are stupid!” or that “People are the problem.” Since the vast majority of attacks are because of human influence, experts have driven the conversation towards the necessity of a more technological solution in order to help mitigate the influence humans have when it comes to security. Too often with attacks, the victims are seen as the problem for attacks but simultaneously there were also charged with the systems defense. There is an expectation management concern here as the experts wanted their users to have an equivalent level of expertise. However, they problem then introduced is that how productive is a person when they are tasked with doing two jobs within a one job timeframe?
Another issue that was brought up in the article was the blame game. Security needs are dynamic and change when the novel methods are discovered. Security is not 100% nor can it functionally ever be, as such anyone can fall victim to an attack regardless of their level of experience. Yet when someone does fall victim to an attack they are called “dumb.” This is not due to a lack of training and education but rather that the hacker was just smarter than the victim. One key component that the article highlighted was that a social engineer, both good and bad, is good at what they do because they know how to use people and technology.
The article’s contributions are focused on inclusion of those that are deemed “stupid” to the table when it comes to policy making and training tactics. Too often the lay person’s ideas are dismissed because they are not an expert. Shifting the burden of responsibility to the worker must also be address. Finally, while the return on investment may not always be financially responsible, it is important to have adequate training and education that a lay person can understand.