Businesses need to get better at understanding the human behaviours that let cyber threats proliferate, if they are to improve their defences, according to the former head of the GCHQ's London office.
Speaking at a Westminster eForum event in London on Wednesday, John Bassett, who headed up GCHQ's London office between 2004 and 2007 and now works as an associate fellow on cyber security for RUSI, said this was an issue on which he was trying to improve understanding.
"Cyber security is based on networks and data but it is really about people. We are quite good at technical solutions. But understanding humans in cyber space? We have much less insight," he said.
"I'm getting academics in socials sciences and human behaviour together with computer scientists in Oxford next month to talk to each other."
Bassett explained that some of the key issues that require further insight relate to the motivations of the attackers and what causes those within organisations to be duped by attacks, but also making people understand how to make themselves safer online.
"There's a perception that people take more risks on the internet than they do in real life, but we don't know the nuances of that. It's important we understand the mindset of potential victims, of ordinary people and why they behave differently online," he said.
The issue of education was also raised by the European managing director of IT certification and security firm ISC², John Colley, who said it was important children were brought up to understand the risks of using computers.
"The first time a student enters a chemistry lab they are taught about how to use it safely, but with computers they are told nothing. They are just left to use it, but this needs to change," he said.
However, Henry Harrison, the technical director at BAE System's Detica division said that he was "sceptical" education and understanding human behaviour would ever prove enough to protect those online.
"I think the reality is that it's too difficult to understand what the risks are. The fact is the IT professionals don't know what the risks are. And until the IT systems we expect people to use help people understand the risk environment we are working in, it's impossible [to educate people]."
Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal.