Using Computer AI to Correct Human Errors in Security
By Dzof Azmi May 13, 2020
- Users are continually observed, and taught good security behaviour as necessary
- Singapore-Based Right-Hand Cybersecurity raises US$1 mil earlier this year
Right-Hand Cybersecurity's recent success at raising US$1 million (RM4.3 million) through seed funding augurs well for the latest attempt to use Artificial Intelligence (AI) to improve IT security. Most current implementations by other companies involve getting the system to monitor network traffic, and then using AI to identify anomalies from a standard baseline. What distinguishes Right-Hand's attempt is that they are attempting to tackle what has long been recognised as the weakest link in securing a computer system: Human error.
"Agreed, it is a well-known problem that has plagued our industry for a long time," responded Theo Nasser (pic, right), Right-Hand Cybersecurity CEO, in an email interview with Digital News Asia. "What makes our approach different is that we have implemented a way to more effectively improve company-wide behaviour and actually quantify the reduction of human-induced cyber risks throughout our platform."
Many organisations lack that visibility into user-induced cyber risk, he points out. It’s a serious problem. Approximately 90% of cyber-attacks occur due to cyber-error.
Positive behavioural change, not fear and punishment
In particular, Nasser notes that users are meant to know what secure behaviour is, but whether they practise it is another matter. "We notice a common theme involving long, traditional e-learning videos and on-site training when it comes to user education and awareness," he highlights. "But a major gap exists with this approach; the difference between what users are told about cybersecurity (i.e. not to click on phishing links or enter passwords) and their day to day behaviours."
Users are still making daily errors that inflict an immense amount of risk on themselves and their employer.
Right-Hand's solution analyses employee behaviour in real-time, and produces user behaviour analytics to identify poor security practices by the user.
"A risky behaviour can be identified in a variety of ways," said Nasser. "(It includes) something as simple as selecting 'remind me later' when a user's application reminds them to download the latest software version, to something like downloading a weaponised email attachment."
Email and web continue to be the most used attack vectors by cyber criminals, likely due to the amount of time employees utilise these channels on a daily basis. Nasser also believes his system can help mitigate social engineering attacks, such as Business Email Compromises and CEO Fraud.
"Similar to many organizations subscribing to a threat intelligence feed to receive visibility into malicious threat actors that are targeting their organisation from the outside, our platform utilises a similar methodology, but for user risks from the inside."
To educate the user, their system then "nudges" them by using the carrot instead of the stick. "Our approach incorporates psychology and an educational technique called microlearning," Nasser said. Users are presented short training modules to reinforce correct, secure behaviour. "(We) influence positive behavioural change through user motivations, rather than trying to influence behavioural change through fear and punishment."
A future predicated on constant change
It is still early days for the Singapore-based security firm, and although a million dollars seed money is not a trivial amount, AI-based security startups like Cylance and Darktrace are now valued in the billions, while eight-year old security firm Vectra announced a US$100 million (RM432 million) Series E round last June.
Meanwhile, in 2019, IDC projected global spending on security products and services to reach US$151.2 billion in 2023, while Asia Pacific is predicted to reach US$34 billion by 2023.
[RM1 = US$0.23]
The question is whether Right-Hand can be agile enough to rise in reputation and value along with this anticipated growth. Indeed, what the landscape looks like post-Covid 19 is still unclear, but like many others, Right-Hand is doing its small part trying to help by offering free Cyber Training. http://right-hand.ai/defend-together/
Whatever the future holds, Nasser is certain that human-induced risk will always be there, in whatever form. "One of the biggest challenges, but also opportunities, in our industry is the ever-evolving threat landscape," said Nasser. "Security companies like ourselves can never remain stagnant."