Treat the whole patient. Public health practitioners have long known that the symptoms a patient presents in the doctor’s office tell only a portion of the story. Overall physical condition, financial resources, mental health, social relationships and a host of other environmental factors can all contribute to the severity of an illness and to the efficacy of medical treatment.
This reality has become even more apparent as we witness the disproportionate impact of the pandemic on vulnerable communities where environmental instability has exacerbated the health crisis and led to tragic outcomes. These outcomes are not solely the result of patient behavior relative to the virus. Rather, they are the result of a complex interplay of variables—some related to the virus and others related to underlying chronic conditions and social inequities. Accordingly, recommendations to reduce the impact of the virus include everything from mask wearing and social distancing (to address the virus) to regular exercise and virtual family events (to address the environmental factors).
Every year, organizations large and small issue annual breach reports to summarize the global state of cybersecurity. One by one, the reports list the presenting “symptoms”—data breaches largely originating from human errors, phishing schemes and social engineering attacks. The 2020 Verizon Data Breach Investigations Report, for example, asserts that 67% of data breaches are the result of “credential theft, errors and social attacks.”1
In response to these reports, cybersecurity professionals offer a range of strategies. In the perennial recommendation to practice good cyberhygiene, users are encouraged to purchase antivirus protection, keep software updated, use multifactor authentication (MFA) and set strong passwords.
While these seemingly basic suggestions are seen as relatively doable under regular circumstances, these are not normal times. The global pandemic has caused a heightened sense of uncertainty about every facet of life. In this reality, we must be keenly aware that:
- Antivirus protection requires money.
- Software updates require trust.
- MFA requires that users understand what it means and how to do it.
- Strong passwords require a good memory or a strategy to safely store them.
Concerns over exposure to COVID-19 have accelerated a mass migration to the virtual space.
Concerns over exposure to COVID-19 have accelerated a mass migration to the virtual space. Citizens across the spectrum of demographic categories are now working, learning, shopping, meeting and socializing online. Much of this activity is happening for the first time—novice users are joining virtual communities, seasoned users are moving from protected work networks into their home environments and a range of users are accessing newly virtual replacements for common activities such as doctor visits. All of it is happening under duress. The pandemic continues to drive an economic crisis, health-related fears, anxiety, confusion and uncertainty. This environmental instability exacerbates cybersecurity vulnerabilities and, if we do not act, may lead to tragic outcomes.
I have long advocated for a holistic approach to cybersecurity—one that considers how technical and human factors combine to shape security posture. Now, and with a greater sense of urgency, I advise cybersecurity professionals to focus on the complex interplay between technical, human and environmental variables that shape user behavior and the “symptoms” they present. In this moment, I am reminded of the Confucius quote, “Wherever you go, there you are.2
Users bring their entire selves online. Yes, practicing good cyberhygiene is important, but the drivers of behaviors counter to these practices (the symptoms we see) are not easily compartmentalized. They are inextricably linked to environmental realities. Today, this reality is a perfect storm—a global pandemic, an economic meltdown and a reckoning over racial injustice. Cybersecurity professionals can help to prevent the addition of a cybersecurity crisis to this list. To do so, we must remember to treat the whole patient.
Diana L. Burley, Ph.D.
Is vice provost for research at American University (AU) (Washington DC, USA), where she is also professor of public administration and policy and professor of IT and analytics. Named one of SC Magazine’s 8 Women in IT Security to Watch in 2017 and a Woman of Influence by the Executive Women’s Forum, she regularly conducts cybersecurity training for executives across Asia, Europe, the Middle East and North America. She is a member of the US National Academies and Science, Engineering and Mathematics Board on Human-Systems Integration and an affiliated researcher with the Johns Hopkins University Applied Physics Laboratory (Baltimore, Maryland, UA). Dr. Burley previously directed the Institute for Information Infrastructure Protection (I3P) at the George Washington University (Washington DC, USA) and led the CyberCorps program for the US federal government.
Endnotes
1 Verizon, 2020 Date Breach Investigations Report, USA, 2020
2 Confucius (trad. 551–479 BCE) was a Chinese philosopher, Stanford Encyclopedia of Philosophy, 31 March 2020