People are the key to security

Laura Bell is the founder and lead consultant at SafeStack. With a background in software development, penetration testing and information security, Bell has made a career from challenging traditional fear based formal governance approaches. In her plenary session presentation at AusCERT 2015, Bell put the challenge out to change the way we approach human security risk. Her call is “Let's protect our people”.

Invoking the old “People, Processes and Mantra” that formed part of almost everyone’s IT education, Bell said we focus so much of our attention on “magic boxes… because we don’t have to sympathise or empathise with a computer. We can do bad things to it all day long and it will never cry, never complain to our managers”.

“But we all know technology is only part of the problem,” Bell says. “The rest of it is people and processes”.

The people issues are complex, says Bell. We live in a very complex world but we also think we know what’s in front of us. That’s why phishing emails with misspelled words work – we simply don’t see the mistakes a lot of the time.

One of the most common approaches applied to dealing with the human element of security is to use “security awareness training”. But this approach is flawed in Bell’s view.

“Compliance has us racing to the bottom”.

Citing PCI, ISO, federal regulations and other obligations, Bell says that focus has us missing the point.

“This is not how humans learn. We have forgotten about the entire world of education but found clipart”, Bell says while reminding the audience about some the horrible security awareness posters many of the audience had in their offices, advising them to burn them.

She had much the same advice for security awareness videos.

One of the issues is that the effectiveness and return on investment on security awareness is rarely measured. In contrast, the adversaries are measuring the effectiveness of their efforts and are refining their efforts based on those metrics.

With email such an effective attack vector, Bell told the AusCERT delegates many of her clients globally were moving away from email as a core communications platform, preferring chat-based systems. This was an example of moving away from vulnerable platforms rather than investing in expensive tools that are decreasingly effective against fast-moving and well-resourced adversaries.

In advocating for a people-based approach, Bell and her team have developed AVA, (Assessment, Visualization and Analysis). This tool maps what is often missed by organizational charts – or organograms as Bell quaintly called them, in hope of resurrecting that term.

By mapping the actual relationships between people, departments and data, it becomes possible to assess a company and find the real, often unknown, points of risk.

“If we applied the same mindset as we do for testing technology to humans; want if we can have that same cold-hearted, killer instinct where we don’t care if things get hurt or upset and applied it to people?” she asks.

This level of deep analysis is likely to reveal new information says Bell. In her view, we really don’t know what our organisations look like.

This approach means you can learn about new points of attack. For example, rather than directly attack a specific target, it might be possible to reach a target through one of their other relationships. A simplistic example might be compromising a CEO’s email by spear-phishing their assistant.

Dealing with user behaviour in a positive way is key according to Bell. For example, many of us are exposed to potential threats without even thinking about them.

“We need to make it OK for us to point these things out and say this looks exactly the thing we should for as malware,” Bell says, pointing out this will encourage positive behaviour.

Using this data-driven approach, Bell says it’s possible to accurately map the relationships between people and dynamically react when a new threat enters, as it’s possible to better understand who is being targeted and what data is actually at risk.

“Its time to get closer to our people”.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags human behaviourIT educationava#Auscert2015security awarenessPCISafeStackCSO AustraliaVisualization and Analysisinformation securityassessmentsecurityisoLaura Belhuman security risk

More about CSOEnex TestLabISOTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts