The human factor in information security

It is widely recognized that organization employees are often the weak link in protecting their information assets. Information security has not received sufficient attention in terms of the influence of the human factor.

In this article, we focus on the relationship between the human factor and information security, representing human vulnerabilities that can lead to unintended harm to an organization.

The human factor has a huge impact on the success and failure of efforts to provide and protect enterprises, services, systems and information. If system security is overlooked by the developer, the IT system becomes vulnerable and can be exploited by an attacker. Attackers, using social engineering, try to obtain confidential information, aiming at the vulnerabilities of people - that is, weaknesses in the organization due to the characteristics and behavior of people.

The purpose of this article is to analyze the human factor in the field of information security, to analyze how information understanding security can become the main tool to overcome these shortcomings.

Some facts


Increased threats to information technology have led to new technology-oriented solutions, while research related to the human factor has been limited. Organizations often ignore the human factor. A security study from Cisco Systems showed that users who work remotely will still participate in activities that threaten the security system. A study of employee behavior showed that having received a suspicious email, 37% would not only open the email, but also follow the link, while 13% would open the attached file. In addition, after receiving a regular letter, 42% followed the link and provided confidential information, and 30% opened a file that would supposedly improve computer performance.

A survey was conducted among security professionals and IT departments to identify their top priorities over the next few months.

About 44% of respondents said their IT departments and security professionals spent less than 20% of their time on daily operational security. Another 32 percent said they devoted 20 to 40 percent of their time to safety. Only 20 percent of participants allocated a significant portion of their daily and weekly administrative activities to ensure the security of their systems and networks.

Human factors


Human and organizational factors may be related to technical information security.

Factors affecting computer security are divided into two categories, namely the human factor and the organizational factor. Human factors are more important than other factors. They are divided into the following groups:

  1. factors that relate to management, namely the workload and poor-quality work of staff;
  2. factors related to the end user.

Next, we will focus on four human factors that have serious consequences for influencing user behavior.

1. Lack of motivation.

Many organizations believe that employees need to be motivated for safe behavior with information assets, and management should be able to determine what motivates their staff.

2. Lack of awareness

A lack of awareness is associated with a lack of general knowledge of attacks. Common examples of lack of awareness may be as follows: users do not know how to identify spyware and spyware and how important it is to specify a strong password. They cannot protect themselves from identity theft, as well as how to control other users' access to their computer.

3. Persuasion

Common examples of risky beliefs are as follows: users believe that installing antivirus software solves their data protection problems.

4. Illiterate use of technology

Even the best technology cannot succeed in solving information security problems without continuous human cooperation and effective use of this technology. Common examples of improper use of the technology are as follows: creating unauthorized reconfiguration of systems, accessing the passwords of others, receiving invalid information. Computer security risks can be classified in several ways: abuse of privileges, errors and omissions, denial of service, social engineering, unauthorized access, identity theft, phishing, malware and unauthorized copies.

An example of the importance of the human factor in ensuring safety in practice


A good example.

imageimage

Results of the implementation of the Post Bank system of face recognition built on the VisionLabs LUNA platform.

Biometric technologies are used by Mail Bank in authentication processes when accessing bank staff and partners to resources (totaling about 70 thousand people), as well as in servicing customers (more than 4.5 million). Coverage of customers - individuals is 100%. Among clients - legal entities, the use of face recognition is implemented at will (approximately 20% of them today refuse to use the technology).

The system uses a database with the results of processing more than 10 million images of unique real persons that are simultaneously used to train the system itself. One server of the system is able to process up to 100 calls per second, spending no more than 2 seconds per call.

System operation statistics for 2016:

  • 4,5 thousand violations were prevented using clients with different names using the same photos;
  • 9.2 thousand potentially fraudulent actions were stopped - applications for lost or stolen passports (including the identification of fraudsters in the system database), personnel errors when entering client data;
  • Four fraudsters trying to use fake documents were detained;
  • prevented about 600 attempts to use other people's accounts.

Replacing confirmation in two-factor authentication by sending one-time passwords via SMS, the face recognition system allowed saving about 3.5 million rubles per year.

The implemented system, according to forecasts, helped prevent a loss from fraud of about 1.5 billion rubles.

Over the same period, the system allowed saving more than 15 thousand hours of working time for front-line employees by automating the authentication process of 46 thousand customers who changed certain personal data in 2016.

Unsuccessful example

image

5 Russian banks underwent a hacker attack in 2016. Sberbank, Alfa Bank, Otkritie, VTB Bank of Moscow and Rosbank were hit.

According to experts, the attack power ranged from “weak” to “powerful”. The duration of the attacks ranged from 1 to 12 hours. Some banks
underwent a series of 2 to 4 attacks. The hackers who organized the attack used a botnet (a network of infected devices), which included 24,000 machines from the Internet of Things.

Vice reported that the attack could be "people dissatisfied with Russia's possible interference in the election of the US president."

Avoid these attacks is certainly impossible. The role was played by the lack of awareness of employees about actions on these attacks, which is an important human factor in the work of the organization.

Also, the management of the organization, in turn, had to adhere to some recommendations on remedies:

  • Antiviruses (Kaspersky, Symantec, G DATA, etc.)
  • Firewalls (Entensys, Kerio, etc.)
  • Specialized DDoS protection tools (Attack Killer, Qrator, etc.)
  • Vulnerability Protection Technologies (Appercut, Checkmarx, Fortify, etc.)
  • Specialized defense against targeted attacks (Attack Killer, FireEye, etc.)

image
image

Conclusion


There is a constant battle between hackers and security experts. Unfortunately, the unpredictability of human behavior can destroy the most secure information systems.

In this article, an attempt was made to collect and clearly define the human factors that cause security problems and present proposals on how to overcome them. The consequence of this is that information security is the key to mitigating security threats caused by human vulnerabilities. Organizations need to develop and support a culture that values ​​positive security behavior. They need to instill their culture so that security begins and ends with every person associated with their infrastructure, their business and their services.

Also popular now: