Patching Security Awareness: Human Traits as Vulnerabilities

Eszter Diana Oroszi
Author: Eszter Diána Oroszi, CISA, CRISC, CISM, ISO 27001 LA
Date Published: 15 October 2021

October is Cybersecurity Awareness Month, a time of year when security awareness improvement actions become especially prominent. Outside of introducing information security rules, understanding human-based threats and recommending defensive actions, it is also important to ensure users understand their role in security and their vulnerabilities: the bad habits and exploitable threats of the human factor. This could be the key to the success of security awareness improvement actions.

If participants understand risk based on the human factor and get an answer to the questions “Why is it important for me?” and “How can I be a target of an attacker and victim of an attack?” they will be able to apply their information security knowledge better and comply with related rules.

But what is the answer?

According to the Verizon 2020 Data Breach Investigation Report, 67% of successful cyberattacks are the result of human negligence or human-based attacks such as phishing. Other statistics reveal that 98% of cyberattacks are based on human factors and use social engineering techniques. This shows that employees are attractive targets to cybercriminals. The reason is that users usually have direct access to all of the assets to be protected, because they

  • Use and transport hardware devices (and can leave them in a visible place to be stolen by a thief)
  • Install and update software and work with internal applications (and can install unwanted programs and forget updates)
  • Have access rights and internal knowledge (which can be useful for attackers when performing other types of attacks)
  • Communicate with other colleagues, clients, customers and partners (which can be an exploitable channel)
  • Have exploitable traits and habits

If attackers know the personality, motivations, traits and habits of a targeted user, they can identify elements that are useful for social engineering attacks. Traits making employees exploitable could be personal, workplace-based, momentary or situational ones. For example, helpfulness could be easily exploited by attackers by illegal intrusion into the facility, or phishing attacks could be built based on a target’s curiosity or even fear, and tiredness or hurriedness could be used in situations of a phone attack for fake request or e-mail scams. Human factors and exploitable traits can lead to significant risk.

That is why it is important to be security aware both in the workplace and at home.
Improving the security awareness level of employees is essential. The good news is that even though they are often considered the weakest link, users can also be the first line of defense. Well-trained and security-aware employees can successfully prevent, detect and report security incidents and be the human firewall. These users know the relevant human-based threats, follow the rules, never bypass security countermeasures and, most importantly, they are aware of their role in information security.

In order to achieve this goal, organizations should organize effective security awareness improvement actions such as trainings, workshops, campaigns and gamified elements. To select the most appropriate method, to the first step is to identify focus groups, including their traits, habits and possible exploitable situations; analyze past incidents, audit/test results and security trends; and assess the needs of participants. Based on that, organizations can define the specialized content of the security awareness improvement materials and risk mitigating actions.

Nowadays, every employee has some information security knowledge; they know the threats of the human factor and how they can become a victim, but they often have a false sense of security and think that technological and physical security countermeasures are enough for defense. In my opinion, today’s security awareness trainings have to contain even more information about the human factor’s exploitable traits, habits and situations, and show the employees why they can be targets of cybersecurity attacks.

Editor’s note: For further insights on this topic, read Eszter Diána Oroszi’s recent Journal article, “Exploitable Traits as Vulnerabilities: The Human Element in Security,” ISACA Journal, volume 5, 2021. 

Don't forget—Members can earn free CPE from ISACA Journal quizzes!

ISACA Journal