IP Security For Broadcasters: Part 1 - Psychology Of Security

As engineers and technologists, it’s easy to become bogged down in the technical solutions that maintain high levels of computer security, but the first port of call in designing any secure system should be to consider the user and their interaction.


All 12 articles in this series are available in our free 82 page eBook ‘IP Security For Broadcasters’ – download it HERE.

Articles in this series:


To truly understand the vulnerabilities encapsulating computer security, we must consider the motivations of one very specific group: users. Users are often considered insecure by IT security departments, and consequently they are subjected to some rather draconian measures to “make them secure”. However, cybercriminals do understand how users think and no matter how secure a system, they use their knowledge of human psychology to gain the upper hand.

Phishing emails are well documented and understood by IT professionals. Attackers send very convincing emails to unsuspecting users asking them to click on a seemingly inconspicuous link. From there details such as passwords and user IDs are easily within the grasp of the cybercriminals, and the rest is history. If the user procrastinates then the attackers use time pressure techniques to cajole them into making impromptu decisions to further the attackers’ cause.

Draconian Password Policies
Another example of vulnerability is a direct consequence of the password policy of the company. This may include forcing the user to provide complex passwords containing obscure characters, a mix of capitals and numbers, or just generally difficult to remember strings of characters.

Forcing reset policies on users certainly achieves the goal of keeping passwords new, but this usually causes users a great deal of stress, especially if they’re working in a highly pressured broadcast environment with only minutes before a live program is broadcast.

Although active password management looks like an ideal technical solution, it’s far from a practical operation for users. Given a complex password that changes frequently, what does the user do? They write down their password! A password that is technically complex and mathematically un-hackable, suddenly becomes a vulnerability. And the more passwords and IDs a user requires, the more they write down and the more vulnerable the system becomes, especially if they’re not used very often.

Ease Of Use Paradox
It’s clear that a contradiction occurs with computer security. A system that is easy to use is invariably insecure, and a system that is very secure is difficult to use. Unfortunately, users demand easy-to-use systems, especially in times when stress levels are high.

Another complication is the user’s own perception of their threat to the company based on their understanding of the value of the data they have access to. A user who has access only to email will probably not understand the dangers they could place the company in if they clicked on a phishing email or were to inadvertently share their login credentials. An attacker may even access their emails to find other admin-type users to help them form another part of the puzzle, and the user wouldn’t even know they had been looking at their emails.

Adhering to company policies may seem straightforward in itself. The bullet points are quite clear, and the board has signed-off the hundred-page document IT has spent weeks, if not months designing. The directive makes perfect logical sense and provides the highest theoretical security standards possible. However, for users to embrace the security directive they must understand the threats that are posed and the part they play in negating them. Just providing a list of instructions, without context, is unlikely to encourage full user engagement.

User Context And Responsibility
In part, one solution is to promote understanding through training. Telling somebody not to click on a link in an email or telling them not to write their password on a post-it-note and leave it under their computer keyboard may make perfect logical sense, but from the view of the user, the instruction may seem relatively trivial and irrelevant.

The fundamental challenge we have is that most people cannot think like cybercriminals, mainly, because they are not criminals and do not have a criminal mindset. Why, for example, would you cover the credit card pay machine when entering your pin number in a restaurant? Not necessarily because somebody sat behind you could be craning their neck to see your pin number, but instead, what about the HD security camera in the ceiling? How do you know there isn’t an unscrupulous employee watching in the back room and writing down your pin number? Or how do you know somebody hasn’t hacked the WiFi and is viewing the camera from the comfort of their car outside?

Social media is playing an increasingly important role in the lives of many people. We share all kinds of information about our families and friends that we would probably never do in any other surrounding. Also, the lines between home and work life are being blurred, at least in a social media sense, leading to the opportunity for a cybercriminal to profile users and gain information that wouldn’t otherwise be available. Not only can this be used to hack into home accounts, but more importantly for the cybercriminal, it is a potential portal into the domain of the user’s company leading to the potential of much greater pickings to further the attackers’ financial or political aims.

Criminal Mindsets
Cybercriminals have one fundamental advantage over the rest of us to further their cause, they’re willing to do things we won’t, and their actions are sometimes so abhorrent that we wouldn’t have thought about them in the first place.

Giving users context and understanding of the capabilities of a cybercriminal is critical to building secure systems.

Complacency provides massive potential for security breaches, even for IT professionals and broadcast engineers. Computer servers are gaining more traction in broadcast workflows and with that comes the potential for security breaches.

Although firewalls and virus scanners may make us feel confident about security, seemingly inconspicuous broadcast processing systems can be a source of vulnerability unless adequately protected, especially those running on old or out-of-date operating systems. Keeping a username and password to “admin” and “admin” may be convenient, as everybody in the engineering department can easily access the server, but it’s like leaving an open door for a cybercriminal with a big signpost on it. The firewall should stop them gaining access to the network, but if there’s a fault or unknown vulnerability, then they can scan servers in seconds to find any obvious holes.

Emotional Thinking First
Cybercriminals are often happy to play a waiting game. If they find a vulnerability they can exploit, they don’t necessarily do anything other than wait. Maybe create a password and username or install a process with a time activation in it, but they have time on their hands and just lie in wait.

Providing users with a list of instructions telling them what they need to do isn’t a long-term solution against cybercrime. To maintain full engagement requires IT system designers to think more about psychology and human emotion. They must put themselves in the shoes of the user and understand why having to change passwords, including WiFi access, is such a big deal for users, especially if they are working in high-pressured environments such as a live broadcast facility.

Part of a series supported by

You might also like...

NAB Show 2024 BEIT Sessions Part 2: New Broadcast Technologies

The most tightly focused and fresh technical information for TV engineers at the NAB Show will be analyzed, discussed, and explained during the four days of BEIT sessions. It’s the best opportunity on Earth to learn from and question i…

Standards: Part 6 - About The ISO 14496 – MPEG-4 Standard

This article describes the various parts of the MPEG-4 standard and discusses how it is much more than a video codec. MPEG-4 describes a sophisticated interactive multimedia platform for deployment on digital TV and the Internet.

The Big Guide To OTT: Part 9 - Quality Of Experience (QoE)

Part 9 of The Big Guide To OTT features a pair of in-depth articles which discuss how a data driven understanding of the consumer experience is vital and how poor quality streaming loses viewers.

Chris Brown Discusses The Themes Of The 2024 NAB Show

The Broadcast Bridge sat down with Chris Brown, executive vice president and managing director, NAB Global Connections and Events to discuss this year’s gathering April 13-17 (show floor open April 14-17) and how the industry looks to the show e…

Essential Guide: Next-Gen 5G Contribution

This Essential Guide explores the technology of 5G and its ongoing roll out. It discusses the technical reasons why 5G has become the new standard in roaming contribution, and explores the potential disruptive impact 5G and MEC could have on…