HFC - Human Risk Mitigation (Lesson)

Human Risk Mitigation

Humans as Risk Factors

How can humans pose a risk to the organization? By not following the rules!  Many users consider security to be an inconvenience and will “go their own way" to make their life easier.

Here are a few ways that the humans in an organization present a threat to the system:

  • Poor password selection, such as using a weak password and/or reusing the password for many different logins.
  • Installing unauthorized hardware. Example: adding a wireless access point in the organization’s network to boost your Wi-Fi signal.
  • Installing unauthorized software or hardware, thus creating a situation where the organization’s security features have been bypassed; this may result in a backdoor attack.
  • Downloading unauthorized game apps that could include malware.
  • Responding to reverse social engineering attempts, where the attacker creates a situation so that the victim makes the initial contact.

Hoaxes are emails that often describe impossible events, highly damaging malware, or urban legends. Their intent is to frighten and mislead recipients and get them to respond and/or forward to friends.

Hoaxes are often discounted as being funny or harmless, but in fact they can cause real harm!  For example, you receive an email that says to delete a file if found on your PC. However, you then find out that it was an important operating system (OS) file, and deleting it crashes the PC!

Reverse social engineering is a more sophisticated scam because it requires quite a bit of advance planning, using a reverse psychology technique. Reverse social engineering is when the attacker finds a way to get the victim to make the initial contact. For example, the hacker sabotages a network, causing a problem to arise. That hacker then advertises that they are the appropriate contact to fix the problem, and then, when they come to fix the network problem, they request certain information from the employees, such as passwords, and get what they really want.

reversepsychology

Mitigating Human Risk

Mitigation is defined as making things less severe by taking steps to reduce adverse effects. When we “mitigate” a risk or vulnerability, we are reducing the likelihood that it will actually become a vector for an attack. The best way to mitigate the human factor risk is to educate the users about security awareness and set clear expectations for how users will operate in the organization.

We start with setting a policy, then we create procedures as to how the policy will be implemented, and then we train users so that they understand the goal of the policy and the steps of the procedure, so they are more likely to follow the procedures.  This is our best path to mitigating human risk factors!

  • A policy is a guiding principle used to set direction in an organization. The organization has to decide generally how they want their users to behave – this will be a policy.
  • A procedure is a series of steps to be followed to implement a policy. Then the organization will take that policy and create a series of steps that everyone is expected to follow -- this will be a procedure.

Policy to Procedure

Typical Organization Computer Policies

Here are some typical organization computer policies:

  • Acceptable Use Policy: The Acceptable Use Policy outlines the standards for responsible and ethical use of the organization's computer systems and resources. It sets clear guidelines on what constitutes appropriate use of technology, software, and network resources. This policy typically covers the use of company-provided equipment, the handling of sensitive information, the prohibition of illegal activities, software installation, and the personal use of company devices. Its purpose is to protect both the organization and its employees from legal issues and security risks, ensuring that all technology-related resources are used in a manner that is consistent with the organization's values and objectives.
  • Internet Usage Policy: The Internet Usage Policy specifies the acceptable and unacceptable use of the Internet in the workplace. It aims to prevent inappropriate web browsing, ensure productive use of time, and mitigate security risks like exposure to malware and phishing attacks. This policy often includes guidelines on browsing non-work-related websites, downloading files, streaming services, and the use of social media platforms during work hours. It also addresses the importance of avoiding sites that could harm the company’s network or reputation and may involve monitoring and penalties for non-compliance to ensure adherence.
  • Email Usage Policy: The Email Usage Policy governs the appropriate use of the organization’s email system. It is designed to prevent misuse of this communication tool, such as sending offensive content, spam, or confidential information to unauthorized recipients. The policy typically includes directives on how to handle sensitive information, the use of email for personal purposes, attachment and file size limits, and guidelines on professional communication standards. It helps in maintaining the security of the email system, ensures compliance with legal and regulatory requirements, and upholds the professional image of the organization.
  • Clean Desk Policy: The Clean Desk Policy is focused on reducing the risk of sensitive information exposure by enforcing a tidy, clutter-free workspace. It requires employees to clear their desks at the end of the day of all papers, devices, and any other information-sensitive material. This policy is crucial for maintaining data privacy and security, especially in areas accessible to non-employees. It minimizes the risk of unauthorized access to confidential documents, reduces the chance of important papers being misplaced or lost, and contributes to a more organized and efficient working environment. The Clean Desk Policy is particularly important in sectors dealing with highly sensitive information, like finance, healthcare, and legal services.

Cybersecurity Scenarios Category Activity

Clean Desk Policy Presentation

Reflection and Wrap-up

In this lesson, you have learned how people can endanger themselves and their organizations through careless actions. You have also learned how to mitigate human risk by following policies and procedures set by your organization.

 

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON.