Unit 4 - Human Factors Flashcards
What are the 7 most significant human factors?
1) Inadequate cybersecurity subject knowledge
2) Poor capture and communication of risks
3) Culture and relationship issues
4) Under-investment in security training
5) Using trust instead of procedures
6) Absence of a single point of accountability
7) Social engineering
What are the challenges for cyber SMEs in maintaining their cybersecurity subject knowledge?
- Speed of adoption of emerging technologies means constant new requirements.
- Requires ongoing and substantial personal investment in keeping up with new technologies and threats.
Why do people not report risks that they have noticed?
1) The risk doesn’t impact them directly.
2) They believe there will be negative personal or career consequences for reporting risks.
3) They perceive the process for filtering and escalating risks is poor (so risks buried rather than communicated and managed).
Why are cultural issues a problem for cybersecurity?
- Corporate culture that creates disaffected or disinterested staff is more likely to have threats from within.
- Poor Whistleblowing processes resulting in info going back to the people causing issues, with identifying info.
- Much easier for attack to proceed with the help of an insider, even if doesn’t have privileged access.
Why is under-investment in security training a problem?
- People not aware of the importance of certain security requirements, such as using different usernames and passwords for different accounts.
- Do not know how actions can create, deter and detect security issues.
- Do not know what threats there are, how to avoid them and how to report suspected or confirmed security problems.
What specific and practical advise should be given to people?
- Do not leave device unlocked when not with it and using it.
- Never mix alcohol with using a device.
- Never discuss or speak about work when intoxicated.
- Be aware that malicious software can be loaded simply by clicking a link.
What should good security awareness training be?
- Concise
- Relevant
- Useful
- Thought-provoking
- Frequent
- Updated regularly (minimum once per year)
What is the problem with using trust instead of procedures?
What should procedures be?
- A few selected individuals may have unbridled privileges and are considered completely trustworthy.
- Procedures should ensure no-one can independently execute an action based on trust alone.
- Stringency and breadth of procedures that control and monitor access and privilege should be proportionate to sensitivity of the assets.
- The more sensitive, the greater need for additional measures to:- monitor, review, check and approve actions.
What is the problem with not having a single point of accountability?
- Shared accountability doesn’t work well… if accountability unclear, in the event of failure, shared owners expect to be equally unaccountable.
- SPoA is proven to help control highly regulated systems successfully.
- Roles and responsibilities may have a tendency to overlap, but important to create non-overlapping boundaries.
Why should we be worried about social engineering?
What should be considered?
- Easy for attack teams to place agents where can get close to ‘trusted’ people or trusted suppliers premises or systems.
- Main protection against this is awareness training with real-life examples.
- Attacks may not be premeditated (just wrong info given to wrong person at wrong time).
- Essential to consider what human factors are most likely to create opportunities leading to cybersecurity failure.
What six human factors have been found to significantly contribute towards security failures?
- Gaps in procedures.
- Risks known to some but not reported or managed effectively.
- Disinterested or disaffected personnel.
- Lack of security awareness.
- Level of access privilege not adequately monitored or segregated.
- Form of social manipulation by individual to gain access to information or systems.
