By Raj Kumar

Huge investments and resources are made available to protect an organization’s information and network infrastructure, and yet there are almost daily cases of security breaches and incidents hitting headlines. The main reason for this is cybercriminals are exploiting the human layer – THE PEOPLE, whom are the weakest link in security because they are not made aware of the current threats facing them.

Even though it is widely accepted within the information security professional community that human layer is the most important layer in securing an organization’s sensitive information, little is being done to increase security awareness and competence levels of the workforce. Many organisations have yet to implement proactive security measures to remain resilient, and this is mostly due to budget constraints, poor governance, lack of security policies and controls, lack of employee awareness programme and more.

Cybercriminals continue to find ways to exploit the vulnerabilities and commit malicious activities, such as hacking, intrusion, phishing, malware, denial of service and ransomware. For example, attackers are using social engineering tactics, such as phishing email, which can easily bypass many technical and administrative security controls that are in place, by targeting people.

People are the easiest target and will remain as such because they are unable to tell the difference between a well-crafted phishing email from a legitimate email.

Attacker can trick a user to perform action such as to provide confident information or click on a link in the email to download a malware, which can infect their computer and at worse, spread over their internal corporate network. This is a highly effective attack vector today and becoming more sophisticated by the day.

Majority of the security breaches today are the result of human error rather than technology flaws. Some of the reasons are that users are poorly trained in the use of ICT, users are aware of the security issues but make poor security decisions, users are having malicious intent and deliberately expose the organisation to risk and users are not motivated to perform at required level to be secure.

Organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment, without ensuring that all people involved in using and managing information understand their roles and responsibilities, understand security policies, and understand current threats and vulnerabilities.

 To reduce information security risks due to people’s mistakes, they first must be made aware of the importance of information security and good information security practices. Next, the people must practice (behaviour) what they know (awareness).

Awareness and behaviour are not the same, though they are interdependent. It is possible that a person may be aware but may not behave appropriately. A good real-life example is a way driver break traffic rules. They may be aware of the traffic rules, but they still break it due to various reasons.

To achieve positive information security behaviour, it may be necessary to introduce motivational, enforcement or corrective strategies by the organizations’ management. There must be a continuous process to introduce new awareness and behaviour requirements and spread it in the organization. Existing awareness and behaviour requirements may have to be optimized.

Achieving high levels of information security awareness, does not necessarily mean that the information security risks have reduced. But information security practitioners often stop at “awareness” and do not view “awareness” as the first step towards creating “better” behaviour nor do they measure whether awareness has helped in creating better behaviour.

Though information security practitioners understand that the “people” aspect of information security is important, currently there exists no formal framework for providing guidance regarding the management of the human factor in information security. By framework, it is intended that there must be a process for identifying the business reasons for information security awareness and responsible information security behaviour, a strategy guidance, a delivery guidance, and a verification process to check whether awareness has increased, and behaviour has improved.

By being vigilant and exercising due diligence, many threats can be mitigated at the human layer. This can only be achieved through security awareness and behaviour management programme for employees, supported by the management.

With the increasing frequency and sophistication of cyber threats against humans, it is increasingly vital for employees to understand their cyber security responsibilities. By informing and motivating people on importance of cyber security awareness, it will create a strong security culture, meet security compliance and regulatory requirements, reduce incidents and loss of productivity, increase confidence among stakeholders, protect brand and reputation, reduce liability due to data breach and cyber-attacks.

DISCLAIMER : The opinions expressed in our published works are those of the author(s) and do not reflect the opinions of ESPC or its Editors. Information contained in our published works have been obtained by ESPC from sources believed to be reliable. However, neither ESPC nor its authors guarantee the accuracy or completeness of any information published herein. ESPC shall not be responsible for any errors, omissions, or claims for damages, including exemplary damages, arising out of use, inability to use, or with regard to the accuracy or sufficiency of the information contained in its publications.

All rights reserved. No part of any ESPC published work may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher.