Risk of Human Behaviour in Information Security

Introduction

As security awareness evolves, so does the opinions of others on this subject. One thing that is certain fostering awareness to mitigate human risk is imperative for an organization’s vitality. In cybersecurity, humans are the weakest link (“Cybersecurity’s Weakest Link: Humans,” n.d.). Humans are considered a weak link because we are not controlled by algorithms or a set of command functions; however, we have our own will, and that will usually lead us to do, act, and discover things that strike our interest. The fact of the matter is that it is important to foster an awareness of information security and mitigate the risk of human behavior because it helps protect the confidentiality, integrity, and availability within a firm (“Computers at Risk: Safe Computing in the Information Age”, 1991, p. 49).

Unintentional Human Error

There are many leading cognitive and psychosocial factors that can influence an unintentional error made. These factors can include and are not limited to attention deficits, poor situation awareness, and lack of knowledge (this includes memory failures) (“Unintentional Insider Threat: Contributing Factors, Observables, and Mitigation Strategies,” p. 2026). Although these are a few of the contributing factors which lead to human mistakes, the occurrence of these actions affects the security posture of the organization more than the mistake. The lack of knowledge or memory failure could lead to employees becoming vulnerable to phishing, which could cause an employee to reveal their login credentials for their job, providing a way of access for the phisher. Additionally, poor situation awareness could increase the likelihood of a breach because workers are presented with a new situation, they have never faced before causing them to react to the problem on intellect (Woods, 2019).

Mistake are an example of an unintentional human error. For instance, any worker within an organization might be proficient at what they do; however, with an overbearing job load, the worker might be susceptible to performing their required duties swiftly. In addition to moving swiftly, they would probably try to multitask to keep up with the heavy workload. This is where and how mistakes can happen; completing too many complex tasks at one time could increase the chance of necessary steps being skipped (such as not opening a suspicious email that seems like it came from your boss or signing on to your office computer with others eavesdropping over you) (“Understanding Human Failure”, n.d.).

The best security practice to mitigate human error and security mishaps is to implement an effective security policy which includes mandates courses which employees must attend to keep them educated on the importance of security awareness.

Malicious Human Behavior

Unintentional action or negligence without malicious intent such as disposing of sensitive files incorrectly is one example of a human cognitive factor that can influence malicious behavior. Additionally, malicious actions extend to a vast range of exploits, like the inaccurate use of classified information/data, unauthorized access to sensitive information, and the prohibited communication with unauthorized recipients.

As a reactive measure investigation’s that has proceeded breaches within various organizations note that the leading psychosocial indicator of malicious insider behavior begins with changes in people’s attitude, behaviors, and actions (Colwill, 2009). To simplify this would indicate that employees begin operating out of the norm of their usual routine. If not monitored or reported upon indication, the organization would only be able to utilize reactive measures after an attack has already been made (Colwill, 2009). Additionally, this creates vulnerability within the security of the organization, which promotes a poor security posture.

Negligence is the most significant predisposed and counterintuitive behavior that can be presented as an example of malicious human behavior. Continuing, negligent employees are the leading cause of data breaches within an organization (“Danger In Your Ranks: 7 Times Employees Caused Damaging Data Breaches”, n.d.). Additionally, because of their disregard to follow proper cybering protocol, threats internally are on the rise (Aarrestad, 2016). Careless employees or insiders tend to inadvertently leak data, breach data because of their eagerness to ignore policies (none-malicious), or they willingly cause harm (malicious breaching) (Aarrestad, 2016).

Organizational Factors

Over the counter products such as firewall protection software’s and intrusion detection systems are used as a safeguard to protect information. However, one of the many overlooked factors that affect organizational security posture is the data flow. Data travels unencrypted throughout the network in plain text form and is up for anyone to grab (“To Stop a Cyber Thief: Watch Your Data Flow,” 2015). Firewall and intrusion detection systems work to control access; however, if they are not configured or managed properly, it creates an easy-access point for cybercriminals to intrude on the servers (“To Stop a Cyber Thief: Watch Your Data Flow,” 2015). This allows cybercriminals to obtain access to the organization’s data. Also, cybercriminals only need an internal or Wi-Fi connection and the easy-access point to gain access to the unencrypted data (“To Stop a Cyber Thief: Watch Your Data Flow,” 2015). If obtained a hacker would now have access to credit/debit card numbers, bank account numbers, social security numbers, health records, or any other piece of information the cyber thief may deem valuable.

High workloads can increase the work environment stress, which can impair performance and judgment of an employee. Additionally, in a high workload situation humans tend to want to take a break to recuperate from all of the stress and although this might be ideal if stress is unbearable for the employee they might let their guard down and forget to lock their computers or take their laptop with them for their breather (“Unintentional Insider Threat: Contributing Factors, Observables, and Mitigation Strategies”, p. 2026). If this were to occur, then an unauthorized person can read or share the information stored on the machine, affecting the confidentiality of the organization’s information.

Planning and controlling are vital to an organizations security posture because it is the act of ensuring proper measures are in place that supports the wellbeing of the organization posture. For example, having a proactive and reactive readiness would mitigate more risk than having one measure implemented over the other considering being proactive controls a situation before it happens (planning) and reactive being reactive acts in response to a situation after it occurs (controlling) (Salihefendic, 2015).

Having an adequately trained staff on the proper protocols of cybersecurity would help safeguard organizational information, assets, and personal information. Additionally, it would ensure employees put forth safe practices for network monitoring and identifying/reporting suspicious activities. This strengthens the organization security posture while providing the organization with a reasonable level of cybersecurity awareness and focus on safeguarding critical information.

Conclusion

A security culture is a set of values shared and defined by everyone within an organization (Romeo, n.d.). Additionally, it can determine how people will approach and respond to an unsecured situation (Romeo, n.d.). As the evolution of all great things, this type of culture is created through investing in a sustainable culture. A healthy security culture is a culture created through the sustainability of the secured culture by transforming the security of a one-time event into a repetitive cycle which generates security returns forever (Romeo, n.d.). It is important for organizations to foster a healthy security culture because it ensures that employees are knowledgeable about how to minimize the risk of acting in an unsecured manner.

Educating employees on security awareness is just as crucial as making sure you have enough gas in your car to get from point A to point B. It promotes a healthy security culture because it is the possessed knowledge members have about the protection of the physical, informational, and assets of the organization. Furthermore, it guarantees the safety of your cyber assets because of the trained associates. Giving an account for how the public negatively lambasts data breaches, losses, and financial recklessness having substantial protocols in place will ease customers and stakeholders of knowing appropriate security awareness processes is being applied over their investment. Additionally, this shows that the security culture (compliance) is being maintained.

Engaging stakeholders in the security awareness training program can help create new strategies in mitigating risk and adding to the successfulness of the organization. Security governance needs to be multifaceted in various environments and designed, implemented, and maintained with people’s behaviors in mind (Colwill, n.d., p. 192). Solutions should be agile while building and maintaining trust and secure relationships as time goes on. Including the stakeholders in the awareness training educates them on the reality of cybersecurity; also, it shows them that you are ready when an error occurs. Also, educating the stakeholders in this area helps decrease cyber vulnerability (Matthews, n.d.).

Considering what has been presented regarding malicious human behavior, this information should be used to implement an internal cyber menace program. Although it is unlikely to stop a cyber-attack, it can be prevented with the proper implementations. To implement, I would suggest utilizing the similar steps to that of a cyber threat analysis that is: scope, collect, analyze, anticipate, and mitigate to help fortify the structure of the cybersecurity posture.

References

• Computers at Risk: Safe Computing in the Information Age. (n.d.). Concept Of Information Security. Retrieved from https://www.nap.edu/read/1581/chapter/4.
• Cybersecurity’s Weakest Link: Humans. (n.d.). Retrieved from https://www.iflscience.com/technology/cybersecurity-s-weakest-link-humans/.
• Unintentional Insider Threat: Contributing Factors, Observables, and Mitigation Strategies. (n.d.). Human Factors. Retrieved from https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6758854.
• Aarrestad, E. (n.d.). Insider Threat: Negligence is more dangerous than malevolence. Retrieved from https://blogs.absolute.com/insider-threat-negligence-is-more-dangerous-than-malevolence/.
• Colwill, C. (n.d.). Human factors in information security. The Insider Threat-Who Can You Trust These Days? Retrieved from https://csbweb01.uncw.edu/people/cummingsj/classes/mis534/articles/Previous Articles/Ch11InternalThreatsUsers.pdf.
• Danger In Your Ranks: 7 Times Employees Caused Damaging Data Breaches. (n.d.). Retrieved from https://www.redteamsecure.com/danger-ranks-7-times-employees-caused-data-breaches/.
• Matthews, D. (n.d.). How to Educate Stakeholders on the Realities of Cybersecurity. Retrieved from https://datafloq.com/read/educate-stakeholders-realities-cybersecurity/4020.
• Romeo, C. (n.d.). A Developed Security Culture. Retrieved from https://techbeacon.com/security/6-ways-develop-security-culture-top-bottom.
• To Stop a Cyber Thief: Watch Your Data Flow. (n.d.). Retrieved from https://www.swordshield.com/blog/stop-cyber-thief-watch-data-flow/.
• Understanding Human Failure. (n.d.). Leadership and Worker Involvement Toolkit. Retrieved from http://www.hse.gov.uk/construction/lwit/assets/downloads/human-failure.pdf
• Woods, E. (n.d.). The Role of Human Error in Successful Cyber Security Breaches. Retrieved from https://blog.getusecure.com/post/the-role-of-human-error-in-successful-cyber-security-breaches.