The Sunday Mail
A SECURITY system is as strong as its weakest link; and in information security, that link is the human factor.
Employees present an elevated risk for corporations’ information resources.
According to the 2022 World Economic Forum Global risks report, about 95 percent of cyber-attacks can be traced back to human negligence or human-based attacks such as ‘phishing’.
This underscores attackers’ heavy reliance on the exploitation of human vulnerabilities to gain a foothold onto network resources from where they can then exploit other technical vulnerabilities for malicious purposes.
In this modern world, cyber security extends beyond just bits and bytes, to people and processes. Employees have broad access to corporate network resources and they interact with those resources in ways that can be exploited by leveraging natural human traits.
People have traits and habits that can be exploited by cyber attackers such as empathy, kindness and politeness; all of which can be exploited by a social engineer.
Similarly, curiosity, credulity and naivety can be leveraged in carrying out phishing attacks and spreading malware. Attackers select targets by identifying and analysing their traits, characteristics, behaviours, skills or knowledge and then create scenarios to exploit them.
“A personality trait is a characteristic pattern of thinking, feeling, or behaving that tends to be consistent over time and across relevant situations.” Personality analysis methods include Mann’s method, Goldberg’s ‘Big Five’ model, Marston’s DISC model, and the Myers-Briggs, etcetera.
Mann’s method is useful in understanding employees’ vulnerabilities. Attackers can exploit targets if they know the motivations, drivers and general characteristics of each role.
However, if employers are aware of these personality types and the associated risk factors, they can apply necessary mitigations to minimise chances of exploitation.
Exploitable traits and habits can be divided into four main categories: personal, workplace, momentary and situational. These four categories of traits can be related, and they often intersect.
Such combinations can be exploitable by social engineers. Personal traits are the most basic human characteristics and are often difﬁcult or even impossible to change such as helpfulness, curiosity and openness, most of which are primary targets for social engineers.
Workplace characteristics are related to a given workplace or position within an enterprise. Based on working conditions, these traits might change over time, such as when a person changes positions, tasks or projects.
Momentary traits are usually short-lived and can change quickly, depending on conditions. Situational traits are momentary traits that generally occur during a stressful situation, such as a security breach.
They are considered separately because they usually do not help an attacker take offensive action, but rather they affect the execution of an attack after it is detected.
How do we guard against these pitfalls? Improving employees’ security awareness is the most effective safeguard against social engineering. Well-trained and security-aware employees can prevent, detect and report security events and incidents; after all, they are the organisation’s first line of defence.
While technical controls such as next generation firewalls play a huge part in protecting networks, they can normally be circumvented by a persistent ‘socially-engineered’ user.
Organisations should develop security awareness programs tailored to their environments to upskill employees and help prevent, detect and respond to cyber-attacks of different forms.
Ideal security awareness training should go beyond posters and slides to include content, such as live attack simulations targeting audience members.
Gamiﬁed learning programs also encourage active participation leading to better content consumption and retention. Employees must be aware of their role in keeping the organisation safe and leaders must foster a culture of transparency to allow their people to communicate issues and mistakes.
A successful security awareness program teaches participants to recognise their own vulnerabilities and exploitable traits and habits. While it is true that there is no patch for ‘human stupidity’, proper training does go beyond patching to bring a whole new cyber-aware employee: the ultimate first line of defence.
*Mugonat Systems is an ICT services provider offering software development and cybersecurity consultancy services in the region. They can be reached at [email protected].