The Human Factor

So far, we have discussed security control types and functions and how layers of controls provide defense-in-depth. These controls protect data from outside threats, but an even greater area of concern is the "inside threat" – people. Read the introduction and the two sections on social engineering in this article about the human factor. Why are people a threat to information security?


Thanks to technology, our chances of survival have been drastically improved, in the event of an emergency. In fact, technology has positively improved how we live, how we travel, how we interact, how we learn, how we are medically treated and most importantly how we lead our lives. The technology used in critical infrastructure that supports our day to day life is becoming a necessity, without which life seems unimaginable. However, this necessity of life has also attracted a lot of interest from those who are illegally trying to gain access to personal, business or corporate data to satisfy their objectives. Many citizens fall victim to these attacks and suffer from minor to life-changing consequences. From losing access to personal photographs of sentimental value due to a ransomware attack to losing the custody of your children, the result of these attacks can mean life or death in some severe cases . When these attacks are targeted towards critical infrastructure, the consequences can be even more devastating. Consider the case of ransomware attack on the NHS in May 2017. The attack resulted in a significant meltdown of emergency services in the UK. It is now being argued that the attack on NHS could have been prevented through due care, regular updates to NHS IT infrastructure and employee training. However, the question is, how others critical infrastructure operators learned from this calamity and what they intend to do to avoid a similar situation?

With the emergence of smart cities, the opportunities of gain for malicious attackers have grown, along with their motivation. Great damage and substantial financial loss have been caused by malware, botnets and targeted attacks through deceiving the user to connect to malicious domains or websites. Although intrusion detection systems and monitoring tools play a significant role in the network security, the human factor should be taken into consideration. It is imperative that due care and caution is taken at all level during interaction with technology to ensure that users do not accidentally introduce malware to the organisation. While security awareness training solutions have been known to provide effective mechanisms for learning and knowledge transfer on security measures, they suffer from few shortcomings. For instance, the monitoring aspect of the employees going through the training process may not be efficient nor effective. This lack of effectiveness occurs because in cases where critical organisations have large numbers of employees requiring awareness training, adequate progress monitoring is a monotonous task with a higher margin of error. Similarly, upon completion of the courses, most employees may have forgotten some of the knowledge and information related to security awareness, acquired earlier on in the training workshops. A recent research found that after attending a business training session, employees, in general, tend to lose 50% of the information in an hour, 70% of the information is forgotten in twenty-four hours and 90% in a week. Thus, it is vital that awareness training is integrated into employees day to day tasks, to support retention and application of the knowledge acquired.

Other prevention aspects such as vulnerability assessment, physical security and the implementation of effective policies and procedures in critical infrastructure systems are equally as important as staff awareness training. To improve technical challenges and shortcomings faced by organisations, the proposed cyber defence strategy will focus on offering concise cyber incident prevention guide to organisations, who operate critical infrastructure. Our proposed cyber defence strategy will enable these organisations to protect their assets, as well as efficiently train their employees, so they are better prepared to deal with cyber and social engineering attacks. This paper proposes a context-aware education tool to be deployed in a business environment to raise the security awareness of the employees. The developed application utilises a client-server model, which can be configured by the administrator to set different modules to be presented according to the current user activity. Each module covers a specific aspect or topic related to security awareness in the business environment. In case the user activity does not trigger the application to display information, then the application autonomously selects tips and present them to the user. The administrator can also monitor the progress of each user while allowing for the setting of deadlines for completion of each module.

The remainder of this paper is organised as follows. Section 2 discusses the continuously growing threat of social engineering. Section 3 lists human traits, which are actively exploited by social engineers during an attack. Section 4 presents the current security awareness programmes in the market. The design and implementation of a proposed security awareness training programme is explained in Sect. 5 Section 6 shows the software testing and evaluation methodology. Section 8 concludes the paper.

Source: Ghafir, I., Saleem, J., Hammoudeh, M. et al.,
Creative Commons License This work is licensed under a Creative Commons Attribution 4.0 License.