A trope that has long dominated cybersecurity is the idea that “humans are the weakest link.” While its intellectual origins predate the industry by several decades, if not centuries, for our present purposes we need go back no further than the beginning of this millennium. It seems to have started with Schneier (2000), and continued with Mitnick and Simon (2002). Since then, cybersecurity discourse has been awash with this cliché.
In his book, Schneier (2000) discusses the idea of perfect computer security. Imagine a flawless computer, with strong cryptography and secure protocols. Even though it would be difficult, suppose it is operational. Unfortunately, it isn’t secure, because sooner or later it will have to interact with a user, and “this interaction is the biggest risk of them all. People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems” (Schneier, 2000, p. 149). And while Mitnick and Simon (2002) begins in a different tone, his point is essentially the same. Talking about home security, and how people install locks in order to feel safe, he says no matter what is put in place, the home remains essentially vulnerable, because “the human factor is truly security’s weakest link.” Schneier’s and Mitnicks’ influences are such that this phrase developed significant currency in information security circles, though it was likely an already common trope in physical security discourse.
“The human factor is the weakest link in cybersecurity” has acquired the status of a thought-terminating cliché, and its continued popularity is restraining the intellectual development of this field. It should be retired as an immediate concern.
Mc Mahon, C. (2020). In defence of the human factor. Frontiers in Psychology, 11, 2–5. https://doi.org/10.3389/fpsyg.2020.01390