Addressing Human Risk
Robert de Haan
Information Security Consultant @ Cypro | Cyber Security Risk and Compliance
Addressing human risk, compliance and appropriate controls isn’t as easy as just doing some email phishing, some training and then some more phishing.
Many companies undertake these components, or maybe even add in some face to face training, but they never really achieve their objectives of reducing human risk, implementing suitable controls and being able to measure the real risk reduction.
Yes, the scenario stated above will show some improvement. Why? Well, it’s quite simple. The initial phishing exercise alerted the staff who understand the need for security, to the issues. The training then reminded these caring staff, what they should do. Then the ironic measurement of the second phishing exercise found a reduction in people falling for the simulated attack. A successful program…?
The problem here is, that this only managed to remind the people who care, what they should do, so naturally, there is an improvement in the second simulated attack.
The real issue is that the people who are at work because they need the money and believe that it’s not their job to be worried about security will continue to do what they always do.
The IT industry is partially to blame for this attitude. For many years now, we have all been advocating what a great job we are doing in protecting the enterprise, improving efficiencies. Why wouldn’t the average staff member believe that they are safe and that the IT department will catch all the bad guys?
The real problem is that the IT department is the backstop, not the front line. The technology that we have been implementing for many years is there to hopefully catch anything that the staff miss. Not the other way around.
So, back to the staff who are too busy to care, not interested, or maybe believe that they are safer at work than they are at home. How do we seriously address them? They have behaviours that will inevitably cause a breach eventually.
Firstly, we need to measure the organisation to see what level of security they are at. What the knowledge level is, how this impacts the behaviour, and most importantly, how the staff attitude and culture is impacting all of this.
Performing a comprehensive Baseline is essential to understanding the issues that we face before we undertake any form of training.
Once the areas of knowledge deficiency, attitudinal issues and behavioural impacts are identified, we can then undertake a serious, focused program to address all of these issues, over a continuous program.
At Layer 8 Security, we perform a Baseline analysis which encompasses understanding past behaviour, current behaviour as impacted by certain stimuli, knowledge deficiencies, (broken down to the topics, the department and if desired, to the user), attitudinal concerns as well as personality quirks.
Once we have these figures, we compile a report to address these areas of concern and risks and then undertake a planning program to target the areas that need addressing.
The program needs to be run over a year with continuous checks and balances to ensure that the right behavioural changes are occurring with the right people.