Tackling The Human Factor In Security

How Employees Behaviour Are Making Businesses Vulnerable From Within

 “I don’t know how to exist before 9 A.M., and without coffee, I’m not classified as a human. Actually, I could be regarded as a threat.”

– Katie Findlay

What is harder to control people or systems?

You can control systems as they are reasonably predictable, people – less so.

If there is a problem with the door not closing, you can either fix it or replace it. However, if someone continues to slam the door, you will have difficulty changing that person’s behaviour.

We are very aware that the biggest threat in any organisation comes from employees even when they are not behaving maliciously.

This means CEO’s and other executives can no longer hide in the shadows from such risks.

Part of the CEO role is to manage organisation risk, which means that ultimate responsibility for insider threats and cyber threats must lie with the CEO.

Unfortunately, the CEO cannot pass the responsibility onto someone else domain, like the chief information security officer (CISO), should they experience a data breach.

Today, it’s understood that a significant data breach will ruin the bottom line and pose enormous risks to a company’s brand, reputation, stock price, and how it’s perceived by customers, partners, and even its employees.

For many organisations, protecting their high-value assets has long been considered something of a “tick and flick”. But, unfortunately, that won’t do. Being compliant does not mean security. It does not mean that you are safe.

Compliancy is like having the license to drive cars, but it does not mean you are a good driver. Hence, we have road rules, speeding, and red-light cameras to remind us to drive safely.

This mindset concerns itself more with meeting a regulator’s approval than it does in determining what’s best for a company’s well-being and overall success. Yet many CEOs feel this is enough and rest easy over issues of cybersecurity simply for this reason.

If top executives don’t properly address the potential risk a data breach could have on their organisations, they could soon be shown the door.

Examples:

  • Target – The retail giant infamous data breach in 2013 led to the payment card information of 40 million consumers. CEO Gregg Steinhafel and several other executives resigned.
  • Sony Pictures – it was revealed in 2014 that hackers leaked upcoming film releases, employee information and personal emails from Sony Pictures. Co-Chairman Amy Pascal.
  • Equifax – 145 million people, had their personal information exposed, including names, birth dates, addresses, driver’s license numbers and social security numbers. It wasn’t a huge surprise then that CEO Richard Smith was forced to resign.

Cyber security and insider risk management is not IT problem. It’s a business performance issue.

Since we realise that people are the biggest threat to an organisation, let me ask you the following question…why do people do what they do rather than what they are supposed to do?

Clearly, human beings are not machines!

What makes a person with a “good background” behave appallingly towards their colleagues, while another employee with “little resource” is extremely helpful and accommodating?

One thing is clear, humans are not random creatures. All actions that people take, they take for a specific reason.

The Theory of Planned Behaviour predicts an individual’s intention to engage in a behaviour. It provides an understanding of why a person carries out any behaviour.

The performance of a behaviour is determined by the individual’s intention to engage in it (influenced by the value the individual places on the behaviour, the ease with which it can be performed and the views of significant others) and the perception that the behaviour is within their control.

Let’s take the example of locking your workstation screen policy when leaving your desk. We all know that we should do this, but some don’t. The question is, why?

According to the theory of planned behaviour, it could be several reasons:

  • Behavioural attitude – Some may feel that they don’t like locking their computer or it isn’t essential.
  • Subjective norms – Perhaps management or others don’t follow such policies, so they feel they don’t need to adhere to such rules.
  • Perceived behaviour control – Locking a workstation is a “pain” if it is perceived that entering the password is cumbersome.

Yet, there is a more simplistic model to explain why people do what they do. There is a single driving force behind all human behaviour. This force impacts every facet of our lives, from relationships and finances to our bodies and brains – Pain and Pleasure!

Everything you and I do, we do either out of a need to avoid pain or our desire to gain pleasure. This is, for certain, how humans are wired.

 “When a behaviour is easier to do, it is more likely people will do it.”
– Nir Eyal, author of Hooked

 After all, what is procrastination? It’s when you know you should do something, but you still don’t do it. Why not? The answer is simple: At some level, you believe that taking action at this moment would be more painful than just putting it off. Yet, there comes a time that putting something off for so long that suddenly you feel pressure just to do it. What happened? You changed your reference to what you linked to pain and pleasure. Suddenly not taking action became more painful than putting it off.

Let’s take password management. People know that password security is essential and is a good thing. Yet, why do users have poor password hygiene?

Pain:

  • They have to create complex and lengthy passwords for every application connection. It’s cumbersome and time consuming.
  • It’s difficult to remember a single complex password, let alone several of them.
  • Having to change passwords regularly is annoying.

How do users move away from pain?

  • They use simple, easily guessable passwords that are easy to remember, such as 123456, monkey, password, iloveyou, qwerty, abc123
  • They reuse the same passwords for multiple applications

Poor password hygiene persists primarily because we have made it a painful and challenging process. Until that changes, the problem will stay.

 “The human brain is immensely complex and powerful. Yet, though it’s capable of incredible feats, we don’t like to use it more than we have to. Given the choice, we opt for the least mental effort. So, when we can, we tend to go for not what’s most rewarding, but what’s easiest.”
– (Rethinking The Human Factor –  Bruce Hallas)

Let’s take another example… “corporate policies.”

According to research completed by CEB, more than 90% of employees violate policies designed to prevent data breaches.

The question is, why?

Organisations believe that corporate policies will help ensure that employees behave in a certain controllable way.

Policies answer questions about what is the expected behaviour from employees and how non-compliance is dealt with.

Unfortunately, the majority of organisations are unable to enforce corporate policies, and here are the reasons why (pain):

  • Corporate policies are often convoluted, complicated and not translated into a meaningful and useable language.
  • Corporate policies are rarely followed by management and executives.
  • Corporate policies are old, not relevant and haven’t been updated.
  • Corporate policies don’t include strategic relevance and context.
  • Corporate policies aren’t linked to the organisation values.
  • Corporate policies are not effectively and strategically communicated.
  • Those who break corporate policies are rarely reprimanded.

If you were to assume “force” was the only way to bring about the right policy and control behavioural change, then you are mistaken.

Of course, human behaviour is such that if you try to change another behaviour, they naturally resist (pain). That’s because they value their perceived freedom of choice and feel pressured and trapped when things are imposed.

Traditional guidance regarding how to defend against insider threats focuses primarily on negative incentives (pain), which constrain employee behaviour or detect and punish misbehaviour. However, when relied on excessively, it can result in unintended negative consequences that exacerbate the threat. They fail to prevent damage and alienate staff even further.

On the other hand, positive incentives (pleasure) can complement traditional practices by encouraging employees to act in the organisation’s interest by fostering a sense of commitment to the organisation, the work and co-workers.

Instead of solely focusing on making sure employees don’t misbehave, positive incentives create a work environment where employees are internally driven to contribute to the organisation only in positive ways.

Let me ask you a question… why don’t cyber awareness programs work?

Simple answer: There is a disconnect between awareness and behaviour.

For all of the discussions above, it is no longer enough to limit our thinking that our problems will be solved by technical means alone. In the past, we could invest in sophisticated security systems, which was enough to maintain an adequate level of security.

 “With only a hammer as part of the toolbox, we tend to treat every problem as a nail.”
– Bruce Hallas

 No technology can pinpoint with definite certainty that a person is a threat to an organisation. Think about it, no person walks into the office with a red jacket and a sign stuck to their forehead claiming that they are a threat to the organisation.

Organisations are a collection of people who share a common purpose. People within organisations unite to focus their various capabilities and skills toward achieving personal and business goals.

If people are both the problem and the solution, then it seems somewhat perverse that we should try and solve the problem using only technology.

In research conducted by Ponemon Institute, it asked CISO’s what was top of their threat list?

Not technology! Not hackers! Not malware!

But people!

For many CISOs, the “human element” is their overriding concern and yet, as an industry, they still tend to treat weakness in information security as a technology problem.