By Amanda Widdowson, Head of Human Factors Capability at Thales in the UK

This article was originally published in Cyber magazine.

Cyber security incidents are often attributed to ‘human error’. Amanda Widdowson says organisations can reduce risk by applying a human factors approach.

In 2020, a study found “95% of cyber security breaches are due to human error”. Therefore, addressing cyber security, without considering the human element, would be like locking all the windows on your house but leaving the front door wide open. Changing employee behaviour can be difficult, time-consuming, expensive and arguably unethical. However, human factors experts have identified practical actions to enable organisations to minimise the risk of human-related cyber security incidents. 

Two new papers by the Chartered Institute of Ergonomics and Human Factors (CIEHF) provide guidance regarding behaviour change, cyber security maturity levels, organisational resilience, board decision-making and presentation of cyber security information. The Human Affected Cyber Security (HACS) framework paper identifies categories of risky human behaviour. Organisational causes were found to be at the root of most of them. Some behaviours and solutions follow. 

User validation violations

The use of passwords for user validation is heavily reliant on limited human memory capacity. A typical user will require many passwords for personal and professional applications and websites. There is a risk that people will use the same, easy to remember password for several applications, so if one is compromised, the rest are too. Biometric technologies may be a better solution because they eliminate reliance on human memory. Fingerprint and facial recognition systems are common on smart phones, but could be better utilised in commercial computer equipment and applications. 

Information sharing and misuse of technology

If cyber security policies are too strict employees are likely to find workarounds, such as transferring information using personal email accounts or unauthorised memory storage devices. Blaming users is not helpful. Instead, the procedures need to be designed around jobs and, if possible, the most secure way to perform a task should also be the easiest way. To achieve this, employees need to be consulted in the design of procedures.

Information shared in public areas, and online, fuels targeted phishing campaigns. This can be monitored by open-source intelligence surveys.

A common observation from Cyber Vulnerability Investigations is a tendency for employees to rely on their IT department to protect them from cyber-attacks. In a mature culture, everybody takes responsibility for their own cyber security. Cultural change programmes can help to achieve this. 

Training

Reasons for poor cyber security awareness include a lack of accessible, well-designed, relevant training. Effective training uses examples of consequences that are meaningful to the target audience. The aim is to frighten, but provide solutions. A competence management system can be used to monitor training completion and understanding. 

Poor monitoring and incident management

Employees need to be able to report incidents easily and without fear of blame or punishment. Significant or common incidents should be monitored, investigated and associated lessons, captured and applied. Incident investigation should cover human factors considerations with the help of a competent practitioner. Organisations need to be prepared to respond to an attack. 

Neglecting physical environment security

Although it may not seem like an obvious part of cyber security, an important attack route, especially for ‘air-gapped’ systems which are not connected to the Internet, is the physical working environment. Attackers may gain unauthorised access by ‘tailgating’; following authorised personnel through entry points. They then seek access to electronic systems through unprotected server rooms, unlocked computers, and inserting memory sticks. Paper-based information left on desks, printers or in unlocked storage facilities, may also be targeted. 

An understanding of human factors can help identify and reduce the vulnerability of the physical environment. If people are used to seeing strangers in their working environment, they might be less likely to challenge an unauthorised attacker. Good visitor identification can mitigate this. Tailgating can be alleviated by turnstiles and security personnel at entry points. Politeness can prevent employees from checking credentials before allowing access, so clear allocation of this responsibility to security personnel can help. The security of remote working environments also needs to be considered. 

Deliberate, malicious attack

Although statistics show the majority of ‘insider threat’ incidents are caused by non-malicious behaviours , the framework also addresses deliberate attacks. If employees feel unappreciated, at risk of redundancy, or disagree with an organisational policy, the risk of them compromising the organisation increases. It is therefore prudent to provide emotional support mechanisms, assess morale using engagement surveys and conduct monitoring. 

Conclusion

With the rise of cyber-attacks that circumvent technical defences, arguably the best defence is to consider the human. Cyber resilience strategies need to incorporate human factors if they are to fully address risk.