The human element, or insider threat, has been identified as a contributory factor in over 60% of cyber security incidents*. Insider threat comprises unintentional human errors, such as inadvertently installing malware, as well as malicious attacks such as ‘whistle-blowing’; the deliberate release of sensitive information. Current approaches to cyber-security do not fully capture the psychological motivations and organisational culture issues that affect human behaviour. Organisations need to quantify, and more importantly mitigate, the risk of insider threat and unintentional human error. By reducing the risk of unintentional human error, we also mitigate the likelihood of a successful malicious attack.
*IBM Cyber Security Intelligence Index 2016
The CHEAT approach comprises an initial planning stage, followed by data collection and reporting stages, and incorporates automated reporting technology to ensure fast collection of human-related risks.
The report provides a prioritised list of human risk indicators with associated recommendations. All recommendations are cross-referenced with the risk indicator numbers. Ease of implementation scores are also mapped. Graphical reports illustrate the average risk per category and number of recommendations by risk and ease of implementation.
The tool provides a more detailed consideration of human-related risks than typical CVI tools. The incorporated checklists, questionnaires and automated reports facilitate fast identification of human-related risks to cyber-security. The more CHEAT is applied, the more valuable the industry norm score becomes. By benchmarking risk in this way, we can measure improvement. The approach can be re-applied once key recommendations have been implemented, to enable an organisation to demonstrate a reduced risk-score. This has implications for assurance and insurance of cyber security risk. Technological interventions may affect system reliability and safety certification. Solutions to address the human element are likely to be more cost-effective.