shifting the human factors paradigm in cybersecurity dr ...€¦ · human factors . the study of...
TRANSCRIPT
![Page 1: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/1.jpg)
Shifting the Human Factors Paradigm in
Cybersecurity
Calvin Nobles, Ph.D. March 15, 2018
![Page 2: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/2.jpg)
AGENDA
Human Factors Cybersecurity – The Ugly Reality
![Page 3: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/3.jpg)
A Famous Quotes “Companies spend millions of dollars on firewalls, encryption and secure
access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.” [people]
– Kevin Mitnick
Convicted in the USA for hacking major corporations, and now a world recognized security advisor.
“If you think technology [alone] can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
– Bruce Schneier
“Only amateurs attack machines; professionals target people”
– Bruce Schneier, 2000
![Page 4: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/4.jpg)
Humans are the Foundation of Cybersecurity
![Page 5: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/5.jpg)
Our Story • $90 Billion global cost of information
security (2017) • Forecasting $113 Billion in 2020
• 90% of cyber incidents are human-enabled • Complex cybersecurity operations
• Security fatigue / high tempo • Underinvestment in cybersecurity training 1
• Technology remains the priority • Increase in targeting people
• Tactical objective – people • Strategic objective – sensitive data,
intellectual property, and financial and informational assets
![Page 6: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/6.jpg)
Human Factors
The study of human behavior on physical and cognitive performance in information security.
“Achilles Heel” of the cybersecurity
Complex Cyber Ecosystems• Over confident in technology, compliance • Regulations, security controls, compliance • Lacks focus from stakeholders
Sophisticated attacks aimed at people
•In 1996, DoD invested $220 Million in Human Factors
![Page 7: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/7.jpg)
Human Factors
Witnessed violations of cybersecurity policies
Open all emails at work
Logged in using unsecure public networks
Used approved devices for work at home
Downloaded unapproved software at work
Shared passwords with co-workers
Of organizations lack a cyber strategy
Increase angler phishing in 2016
![Page 8: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/8.jpg)
Human Factors
Data Breaches ID Attitudes Automation Organizational
Culture Performance
52% of data Address human Impact Need to mitigate breaches cost Information factors performance,
dangerous ($4Million per Overload Production, attitudes incident) Make a Priority Profits
![Page 9: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/9.jpg)
Leading Industries in Human Factors
Aviation Safety
Nuclear Power
Medicine Space Exploration
Human factors success driven through organizational cultural
![Page 10: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/10.jpg)
Misconfigured Network Settings
Password Management
(poor)
Privilege Creep
Violation of Standard
Operations Procedures
Non-compliant Behavior Leadership
Directed Actions
Technology vulnerabilities
Cognitive Distractions
COMMON MISTAKES
Made by Cyber Professionals
![Page 11: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/11.jpg)
Human Factors, Technology, Automation Impacts
Human Factors Impacts Too much Technology Impacts Automation Impacts
Core Pillars easily Disrupted
Lack of Human Factor Objectives
Too muchTechnology
Inundated with Information
Misaligned Business and Security Objectives
Degradation of Performance
Demanding Environment
Constant Change
Cognitively challenging
Anxiety /stress fatigue
Information overload / automation misuse
Changes in the decision-making process
People become information managers
Require in-depth technical knowledge of systems
Creates complacency degrades proficiency
Information overload
Software coding errors
Delivery time supersedes cyber defense
![Page 12: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/12.jpg)
Culture and Human Factors Principles
Integrity Process Compliance Expertise Empowerment
Standardization A questioning attitude
![Page 13: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/13.jpg)
Human Performance Standard of Excellence The Dirty Dozen
Lack of Communication
Inattentiveness
Lack of Resources
Stress
Lack ofTeam Work
Pressure
No Situational Awareness
Lack of Knowledge
Fatigue (Security)
Lethargic
No Standardization
Lack of Assertiveness
![Page 14: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/14.jpg)
Cybersecurity Training
• Need specialty cybersecurity specific training • Train to the operational shortfalls
• DevOpS • Privileged creep • Data breaches • Misconfigurations • Ransomware attacks • Cyber-attacks
• InternalTraining Programs • Apprenticeship Program
![Page 15: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/15.jpg)
Human Factors
• C-Suite driven • Increased security
• Accuracy • Prioritization of effort • Identify critical phases/operations • Enhanced operability of systems
• Increased profit and business proficiency
![Page 16: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/16.jpg)
Bridging the Gap in Cybersecurity
Operational infancy
Difficult to measure
Theory vs Execution
Institutional Practices Organizational Practices
![Page 17: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/17.jpg)
The Cyber Human Error Assessment Tool
CHEAT
- Designed to support proactive assessments cyber-security vulnerability and to identify human-related root causes post-incident.
- Eliminate or mitigate identifiable risks.
Focus Areas
-People
-Organization
-Environment
-Technology
Expertise
-Cyber
-Psychologists
-Human Factors Experts
-Technologists
Culture
-360 degree organizational cyber assessment for all employees
-Integrate cultural objectives in the strategy
-Investigative Team
Organizational Practices
-Impact
-Performance
-Production
-Profits
Need more theoretical foundations that lead to institutional practices in human factors
![Page 18: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/18.jpg)
What is Your Human Factors Platform?
![Page 19: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/19.jpg)
Establishing a Platform Information security SMEs Define science of cybersecurity
Add Development of Leverage practices from aviation, nuclear operational practices power and safety
Cognitive scientist Operationally focused
Develop platforms to address cybersecurity
![Page 20: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/20.jpg)
Executive Human Factors Council
CEO
COO CIO CSO CTO
Human Factors Experts
Medical Professional
CISO
Cyber Professional
(Generic Construct)
The purpose of this council is to drive enterprise-wide human factors initiatives.
![Page 21: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/21.jpg)
• Factors to consider:• Industry (Financial, Retail, Healthcare)• Complexity of cybersecurity operations
• Level of cybersecurity resiliency
• Threat Environment• Technology
• Tempo
• Training• Leadership’s decision making
• Culture
• Stress /Fatigue• Lack of a Platform (Human Factors Committee)
• Human Factors and Cognitive Experts
The current approach to human factors-Too narrow in scope-More than a training problem
The True Enormity
-
The true magnitude of the human factors problem
![Page 22: Shifting the Human Factors Paradigm in Cybersecurity Dr ...€¦ · Human Factors . The study of human behavior on physical and cognitive performance in information security. “Achilles](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb74ea0746fe023043a3fa/html5/thumbnails/22.jpg)
?