Human factor key in cyber security

Marta Mallavibarrena    14 February, 2022

Dozens of vulnerabilities are discovered every day in the current landscape (an average of 50 in 2021), and attackers are finding new and ingenious ways to exploit them. It is obvious that the cybersecurity sector needs to keep up its efforts to prevent these attacks from succeeding. 

This technological race has led to countless advances and developments in the technological infrastructure of companies and institutions, but we cannot forget one critical factor: people, systems with hundreds of known vulnerabilities since the beginning of time, the vast majority of which remain uncorrected.

According to data collected by Proofpoint, 20% of users would have interacted with e-mails containing malicious files, and another 12% would have accessed links provided in such e-mails. Various sources put the percentage of employee-induced data leaks at between 88% and 95%. Ignoring this human factor in cyber security poses a huge risk to organisations.

Why does it happen?

Although there are infinite causes and motivations for a human action to trigger a security incident, from an insider intentionally sharing company information to an accidental mistake that leaves information exposed, the focus of this article is on those cases where there is intentionality on the part of the attacker, but not on the part of the victim. Common examples of this type of cases are phishing campaigns, vishing (by phone) or smishing (by SMS).

The techniques used in these types of attacks have not changed much over time. The same methods used by Frank Abagnale Jr. in the 1960s or Kevin Mitnick in the 1980s and 1990s to carry out the frauds that made them famous are just as effective today. Some of them, such as those proposed by Cialdinni, are still used in marketing and communication, and we have even discussed them previously on the blog.

The set of techniques and procedures used to try to motivate the user to perform some action in favour of cybercriminals is known as Social Engineering. Although it is also known by other more artistic names, such as “mental manipulation” or “human hacking”, it is nothing more than another example of persuasion or attitude change.

In this context, the Elaboration Likelihood Model (ELM) is proposed in psychology. A person’s level of elaboration is based on two factors: their ability to understand the message, and their motivation to do so. To be honest, when reading emails on a Monday morning before our first coffee, we do not have either one of these.

Attitude changes produced in a highly processed subject are handled by the so-called “central pathway”, and are more profound and long-lasting over time, but require stronger arguments to take effect. Fortunately for cybercriminals, it is enough to last for the seconds necessary for victims to follow a link or enter their credentials, so the victim does not need to be paying too much attention.

This combination of factors makes an employee under the effect of factors such as fatigue, stress or sleep the perfect victim of social engineering. This does not necessarily mean that if we are in perfect condition we cannot fall victim to the same techniques, but it does make us enormously vulnerable.

What can we do about it?

Leaving aside the purely technological component, and focusing on the human component, both companies and users can take measures to try to reduce the success of these social engineering techniques. These include awareness campaigns and training in the detection of fraudulent messages and activity or offering reporting channels so that users can alert in the event of detecting them, among others.

As users, also on a personal level, it is important to be aware of our digital footprint: the information available about ourselves in cyberspace can be used to more accurately target attacks using social engineering.

In the words of cryptographer and computer security expert Bruce Schneier: “If you think technology can solve your security problems, you neither understand the problems, nor understand the technology.

Leave a Reply

Your email address will not be published.