The Human Element

There is one attack vector that all users are susceptible to and unfortunately to some degree – always will be. Social Engineering. The mere mention of Social Engineering can cause some CIOs / CISOs / Information Security Heads to begin to shake and tremble and to those who don’t, I would argue, they have not entirely understood the full effect a skilled Social Engineer can impact on their business. Social Engineers rely on the big bag of fluid that is sat behind the computer (otherwise known as the wetware) to make a mistake. Wetware, most commonly known as “people” or to the management among the reader “employees” (or in some cases “minions”) are currently and have been for some time - the biggest headache to security professionals.

It is commonly agreed that effective employee Security Awareness Training is the best answer to Social Engineers. Effective Employee Security Awareness training should raise awareness of this dangerous cyber-attack vector, including the different methods usually employed by a Social Engineer. However, following Security Awareness training how do we assess and test how effective Security Awareness training has been? Can this truly be tested?

Social Engineers will not just attack an employee at work, they will attempt to steal sensitive information no matter the environment. Remember, sensitive information is in the eye of the beholder. It may not relate to just your business, it may be sensitive or personal to your employees. A good Social engineer will use various techniques to maximise disruption to your business which will include targeting your employees when they leave the logical and physical security fortress built for them by your IT Security team and or department. So, in reality, Employee Security Awareness Training asks that the wetware be on the constant lookout, have an uninterrupted vigilance against Social Engineers - which can be tiresome and draining on the employee. Keep in mind that the ultimate aim of any Social Engineer is to get your employee to lower the drawbridge and bypass the security controls of your CIS Security fortress entirely.

Effective employee Security Awareness Training is something that must be entrenched into your employee, almost as part of their behavioural DNA when surfing the internet, using apps, talking on the phone, dealing with email, doing their online shopping, during all digital dealings, without delay, disdain or derision - security must remain at the forefront of their consciousness. Sounds almost impossible, right? Most likely, but it’s said that your best teacher is your last mistake.

In what seems to me now looking back - a past life, I was a JNCO in Her Majesty’s Royal Air Force. As part of the annual RAF competencies I had to keep up to date with including fitness tests and getting gassed once a year (Armed Forces Veterans and Regulars will know the pain…), one element was Human Factor (HF) training. It was a necessity that all MoD personnel were subjected to HF training in an effort to improve Air Safety at MoD bases. It operated on the premise that MoD site supports a system (the MoD uses Defence Aviation Error Management System or DAEMS) which encouraged Airmen to submit ideas to improve safety or own up to mistakes freely, it would change the behaviour within the workforce. The system would highlight issues with policies, procedures or introduce a new way of working to prevent mistakes or even improve an Airman’s environment.

The philosophy behind Human Factors training is this. How much concentration is lost on a particular task if we as human beings are stressed, hungry, (or in my wife’s case - “hangry”) tired, too cold, too hot, etc? The list goes on and on, we are of course - only human. Dr Abraham Maslow published his “Hierarchy of Needs” way back in 1943 and it has been the basis for psychology students since. The logic behind the hierarchy is simple: the essential survival needs in the lowest level of the pyramid must be satisfied before the individual can turn his or her attention to the next level, then the next level must be satisfied before proceeding up; and so on. All the human body’s needs stated on Maslow’s Hierarchy have been proven to affect performance. It is these slips in performance that a skilled Social Engineer will aim to exploit and take full advantage of.

Fig 1 – Maslow’s Hierarchy

An interesting footnote to the hierarchy – in today’s modern world, there is an argument¹ that Wi-Fi, mobile phones and social media should be appended to the hierarchy at the very base, at the physiological needs stage. They are being rated as important to humans today as the things we need to exist! Food, water, clothing etc! I’m sure it is in jest, but it does highlight how important a digital life has become and how some employees might be distracted or stressed if their digital existence is under threat.

It occurs to me that HF training could be adapted to Cyber Security. How excellent would it be to have a system that captures and harnesses the Human element? Using a business’s greatest weakness and morphing it into its greatest asset. Instead of having HF to improve Air Safety, have it to improve Cyber Security. Let’s say your MoD Site (your business) decides to develop and introduce a system which allows its Airmen (employees) to submit ideas on how the organisation can improve Cyber Security, their environment and in turn being rewarded for practical ideas that can be implemented. Please note, I am not advocating that this system will not prevent mistakes all together. Albert Einstein once said, “Only two things are infinite, the universe and human stupidity and I’m not sure about the former.”

Nevertheless, it is a step in the right direction. I believe it will (when implemented correctly) allow others to learn from a common blunder, improve policies and procedures and allow your organisation to improve the life of its employees by implementing practical ideas where applicable.

A lynchpin to the whole scheme was that no matter whether an idea submitted could improve Cyber Security or not, the submitter was given feedback. Either “yes - that’s great we can implement that,” or “no, we won’t adopt this idea because of x y z reasons”. The feedback has to be given to allow learning. Feedback will demonstrate to the submitter the reasons why a procedure is designed the way it is, the security reasons behind it.

In implementing HF training with an aim to improve Cyber Security, an understanding must be reached that humans will always make mistakes, but it’s how the entire organisation can learn from one mistake, to prevent future occurrences or even spot improvements to the Security posture from a unique point of view that will prevent a mistake entirely. The bottom line is this – you know your environment, this is an idea which could potentially harness the human element and use it as a force to improve the Cyber Security posture of your organisation.

"All men make mistakes, but only wise men learn from their mistakes”

Winston Churchill

1 http://blog.dlink.com/maslows-new-hierarchy-of-needs/