Transcription
Shifting the Human FactorsParadigm inCybersecurityCalvin Nobles, Ph.D.March 15, 2018
AGENDAHuman FactorsCybersecurity – The Ugly Reality
A Famous Quotes“Companies spend millions of dollars on firewalls, encryption and secureaccess devices, and it’s money wasted, because none of these measures address the weakest link inthe security chain.” [people]– Kevin MitnickConvicted in the USA for hacking major corporations, and now a world recognized security advisor.“If you think technology [alone] can solve your security problems, then you don’t understand theproblems and you don’t understand the technology.”– Bruce Schneier“Only amateurs attack machines; professionals target people”– Bruce Schneier, 2000
Humans are the Foundation ofCybersecurity
Our Story 90 Billion global cost of informationsecurity (2017) Forecasting 113 Billion in 2020 90% of cyber incidents are human-enabled Complex cybersecurity operations Security fatigue / high tempo Underinvestmentin cybersecurity training1 Technology remains the priority Increase in targeting people Tactical objective – people Strategic objective – sensitive data,intellectual property, and financial andinformational assets
Human FactorsThe study of human behavior on physical and cognitiveperformance in information security.“Achilles Heel” of the cybersecurityComplex Cyber Ecosystems Over confident in technology, compliance Regulations, security controls, compliance Lacks focus from stakeholdersSophisticated attacks aimed at people In 1996, DoD invested 220 Million in Human Factors
Human FactorsWitnessed violations of cybersecurity policiesOpen all emails at workLogged in using unsecure public networksUsed approved devices for work at homeDownloaded unapproved software at workShared passwords with co-workersOf organizations lack a cyber strategyIncrease angler phishing in 2016
Human FactorsData BreachesID Attitudes52% of databreaches cost( 4Million perincident)Need to rloadOrganizationalCultureAddress humanfactorsMake a ofits
Leading Industries in Human orationHuman factors success driven through organizational cultural
Violation sMade byCyber Professionals
Human Factors, Technology, Automation ImpactsHuman Factors ImpactsToo much TechnologyImpactsCore Pillars easily DisruptedDegradation of PerformanceChanges in the decisionmaking processLack of Human FactorObjectivesDemanding EnvironmentPeople become informationmanagersToo much TechnologyConstant ChangeRequire in-depth technicalknowledge of systemsInundated with InformationCognitively challengingCreates complacencydegrades proficiencyMisaligned Business andSecurity ObjectivesAnxiety /stress fatigueInformation overloadInformation overload /automation misuseSoftware coding errorsAutomation ImpactsDelivery time supersedescyber defense
Culture and Human Factors PrinciplesIntegrityProcess ComplianceA questioning attitudeExpertiseStandardizationEmpowerment
Human Performance Standard of ExcellenceThe Dirty DozenLack ofCommunicationLack ofResourcesLack ofTeamWorkNo ssStressPressureLack ofKnowledgeLethargicNoStandardizationLack ofAssertiveness
Cybersecurity Training Need specialty cybersecurity specific training Train to the operational shortfalls DevOpS Privileged creep Data breaches Misconfigurations Ransomware attacks Cyber-attacks Internal Training Programs Apprenticeship Program
Human Factors C-Suite driven Increased security Accuracy Prioritization of effort Identify critical phases/operations Enhanced operability of systems Increased profit and businessproficiency
Bridging the Gap in CybersecurityOperational infancyTheory vs ExecutionDifficult to measureOrganizational PracticesInstitutional Practices
The Cyber Human Error Assessment ToolCHEAT- Designed to supportproactive assessmentscyber-securityvulnerability and toidentify human-relatedroot causes postincident.Focus pertise-Cyber-Psychologists-Human Factors s-360 degree organizationalcyber assessment for allemployees-Impact-Integrate culturalobjectives in the strategy-Production-Investigative Team-Profits-Performance- Eliminate or mitigateidentifiable risks.Need more theoretical foundations that lead to institutional practices in human factors
What is Your Human Factors Platform?
Establishing a PlatformInformation security SMEsAdd Development ofoperational practicesCognitive scientistDevelop platforms to addresscybersecurityDefine science of cybersecurityLeverage practices from aviation, nuclearpower and safetyOperationally focused
Executive Human Factors CouncilCEOHuman ofessionalCSOCTO(Generic Construct)The purpose of this council is to drive enterprise-wide human factors initiatives.
The True EnormityThe current approach to human factors-Too narrow in scope-More than a training problem Factors to consider: Industry (Financial, Retail, Healthcare) Complexity of cybersecurity operations Level of cybersecurity resiliency Threat Environment Technology Tempo Training Leadership’s decision-making Culture Stress /Fatigue Lack of a Platform (Human Factors Committee) Human Factors and Cognitive ExpertsThe true magnitude of the human factors problem
?
Downloaded unapproved software at work Shared passwords with co-workers . Integrity Process Compliance Expertise Empowerment A questioning attitude . Human Performance Standard of Excellence . -360 degree organizational cyber assessment for all employees -egrate cultural Int
