Data Security Breach

Global cyber-attack: not a new problem

Last month, the largest global cyber-attack in history recently infected Windows computers in a network. It utilised a security glitch in the Windows operating system that allowed it to jump from computer to computer on an internal network.

Only this week, yet another ransom attack spread across the world. 

The WannaCry attack was in terms of computing technology, simple and even naive. For example, no sophisticated password-breaking software was used.

But the developers of the malware had a deep understanding of the behavioural biases which are frequently encountered in organisations. In short, the attack succeeded because of simple human fallibilities.

The attackers simply hoped that at least one user on a network would click on a malicious link in an email or download a malicious attachment. The virus could then get to work with minimal sophistication.

But how could this happen? Microsoft had released a system patch for its operating system long before the virus became large-scale operational. The NHS in Britain was notified by Microsoft two months ago about a security patch that could have prevented the spread of the virus within the organisation.

A long-standing reluctance by large organisations to roll out system updates before substantial internal testing was instrumental in the crisis.

In effect, paranoia about system security was the cause of system-wide vulnerability.

This problem is not new. The illusion that elaborate rule-based systems can eliminate systemic risk was prevalent amongst regulators in the run-up to the financial crisis, and still persist even to this day. The apparent security provided by having lots of boxes ticked and the paperwork passed through endless committees before an update could be approved proved to be completely false.

The state of affairs puts into question the complicated security procedures in place within organisations. What is the point of spamming staff with emails forcing them to update their passwords as often as once every two/three months when this large-scale cyber-attack took place without breaking even a single password?

A study published in the Proceedings of the 17th ACM conference on computer and communications security assessed the security advantages of password expiration policies,.

It shows that many users asked to update their passwords use simple mental shortcuts and heuristics on all but the first password. For example, they just change a character to a symbol or number, such as ‘s’ to ‘$’ or ‘A’ to ‘4’,

These shortcuts introduce patterns and biases to the password which makes it much easier to guess your updated password once you have even partial access to the password history. The researchers in this study could break the current password of approximately 41 per cent of the accounts in less than three seconds, if they knew their previous password.

The situation is even more disconcerting. A report by Carnegie Mellon University showed that personal characteristics and traits were correlated with password strengths among CMU students, faculty and staff. Individuals who reported annoyance with university password policies also tend to choose weaker passwords.

The obsession with frequent password updates actually reduces overall system security rather than enhances it.

Instead of trying to design elaborate, fail-safe systems, companies should just reflect a bit more about how humans actually behave.

Rickard Nyman

Image: Data Security Breach by Blogtrepreneur is licensed under CC by 2.0

Share this post



t: +44 020 8878 6333

Alex O’Byrne, Associate at Volterra, is an experienced economic consultant specialising in economic, health and social impact, economic strategy, project appraisal and socio-economic planning matters.

Alex has led the socio-economic and health assessments of some of the most high profile developments across the UK, including Battersea Power Station, Olympia London, London Resort, MSG Sphere and Westfield. He has significant experience inputting to EIAs and s106 discussions as well as drafting economic statements, employment and skills strategies and affordable workspace strategies.

Alex is also experienced at economic appraisal for infrastructure. He was project manager of the economic appraisal for the City Centre to Mangere Light Rail in Auckland. He also led the economic and financial appraisals of the third tranche of the Transport Access Program for Transport for New South Wales, in which Alex developed and employed innovative methodological approaches to better capture benefits for individuals with reduced mobility.

He is interested in the limitations of current appraisal methodologies and ways of improving economic and health analysis to ensure it is accessible to as many people as possible. To this end, Alex recognises the importance of transparent and simple to understand analysis and ensuring all work is supported by a robust narrative.

Alex holds a BSc (Hons) in Economics from the University of Manchester and he was a member of the first cohort of the Mayor’s Infrastructure Young Professionals Panel.


Senior Partner

t: +44 020 8878 6333

Ellie is a partner at Volterra, specialising in the economic impact of developments and proposals, and manages many of the company’s projects on economic impact, regeneration, transport and development.

With thirteen years experience at Volterra delivering high quality projects to clients across the public and private sector, Ellie has expertise in developing methods of estimating economic impact where complex issues exist with regards to deadweight, displacement and additionality.

Ellie has significant experience in estimating the economic impact across all types of property development including residential, leisure, office and mixed use schemes.

Project management of recent high profile schemes include the luxury hotel London Peninsula, Battersea Power Station and the Nova scheme at London Victoria. Ellie has also led studies across the country estimating the economic and regeneration impact of proposed transport investments, including studies on HS2 and Crossrail.

Ellie holds a degree in Mathematics and Economics from the University of Cambridge.