Human Weak Links: Addressing the Right Problem and the Role of AI

March 25, 2020 By in Risk Tags:

To paraphrase Voltaire:

Common sense is not that common.

The idea that when faced with an issue we need to first pose the right question is a broadly accepted concept. The corollary to that is to then answer the question. Also a well understood concept. But the next step, develop a solution that addresses the answer, is too often a stumbling block. Sometimes it is easier to develop a solution to something related. Sometimes momentum makes the team build on an original solution. Whatever the reason, the work done in the question and answer phase is effectively discarded.

The Human Weak Link

An example is electronic passwords. The theory and application of electronic password systems is quite advanced. But the early systems developed and deployed failed to provide the security results expected. The answer was quickly identified: The weak link in security systems is human interaction. Then a massive failure occurred in attempting to rectify this issues. Instead of solving for root cause of the “human problem” the teams involved in providing solutions focussed on specific issues one by one.

An early problem identified was that users were not using enough characters in their passwords and this was solved by requiring a minimum number of characters, usually eight. Then another problem was identified was that the passwords used by users were cryptographically weak. The first attempt to remedy this was to force the use of an expanded set of characters and many password systems started requiring, for example, the use of an upper case letter, a lower case letter, a number and a special character. Further attempts at improving the cryptographic strength of passwords was to ensure that users did not use their names, phone numbers, previously used passwords, and so on. The attempts at managing the human weak link in password security systems continued, including attempts at education, using password generators, password storage apps, etc.

Solving for the Right Problem

The problem with all of these solutions is that none of them attempted to provide a solution to the identified problem that the human link is weak. They all addressed specific instances to this problem. The first successful attempt was the introduction of two-factor authentication. In two factor authentication the user enters their password but then has to authenticate using a system generated password produced by an app. There are various forms of this solution, including one time passwords (OTPs) that are emailed or messaged to the user, using an authentication app or hardware (RSA sticks / cards) to generate the second authentication password, etc.

This solution actually addresses the human weak link because it removes it. Two factor authentication isolates the human from the second factor by using a system generated password independent from humans. This solution resolves the original human weak link issue.

The Role of Artificial Intelligence

The human weak link issue is why there will always be a place for AI in the world. AI is continuously attacked using examples that require expert solutions in new or ambiguous environments. An example is self-driving cars. The question posed is would an AI system be able to properly respond to, for example, a child running out into the middle of the the road? Importantly, would how would an AI system manage the ethical dilemma of swerving away from the child, saving the child’s life, but risk hitting someone else? These are valid questions, but not the only questions. The are an example of the selective example logical fallacy.

First, what makes anyone think that the average human driver would be able to manage the situation any better? From what I have seen it is not clear that humans have any clue as to how to do this. But far more importantly, that is only a specific risk. There are many others in driving and the human weak link appears, to me, seems to include breaking easy to follow rules as the main cause of serious accidents. These driving rules include remaining under the speed limit, maintaining safe distances (not tailgating), respecting stop signs, signaling when changing lanes, not running red lights, etc. In these situations AI will far outperform the average human.

Human Rationality and Cognitive Biases

We like to say that what separates humans from animals is the ability to think. This statement is true but ambiguous. It is not that the human mind replaces natural instinct but that the human mind can often over-ride instincts. But not always. An example is the covid-19 virus. It is human nature to be optimistic, to not always assume the worst, otherwise every person on the planet would be in a fetal position hiding under their bed. This optimism is natural and usually sensible, otherwise a fear of car accidents would immobilise the world population.

The problem with human optimism is in specific cases, such as a highly contagious, lethal virus, when the worst case is indeed clearly happening. It is difficult for humans to overcome their cognitive bias that “it won’t happen to me” and the risks aren’t high. At this point human reversion to their natural instincts must be overridden by specialists and those in authority: no, it will very likely happen to you, the risks are catastrophic, so you are ordered to stay at home.