The Human Element of Computer Security

Posted on by Robert Moskowitz

Most organizations spend significant sums on high-tech defenses such as firewalls, anti-virus software, intrusion detection systems, and biometric locking devices as part of their computer security efforts.

But even the strongest hardware and software defenses cannot withstand the human element. The damage can be inflicted intentionally by demotivated employees or unintentionally by insufficiently trained  employees. If employees decide to breach defensive protocols intended to protect data from outsider access, then computer security becomes more challenging.

There are countless examples of how attackers can use deceptive or manipulative tactics against particular individuals in gatekeeper positions, such as by already pretending to know each other or cultivating a new trusted relationship. These attacks—often called "soft hacking"—may yield only a small amount of data at first, but they can lead to opportunities for bigger data security breaches at a later time. Think of it as a "camel's nose under the edge of the tent" situation.

It is important for IT security professionals to consider the human element when evaluating the organization's overall information security environment. They must also identify areas where a single human failure or breach of security protocol can lead to significant loss of data integrity.  It’s important to institute policies and practices that minimize the vulnerabilities associated with the human element.

Soft hackers are adept at using deceptive approaches to wheedle important tidbits of information from those who should know better than to release it. Such approaches rely on engendering false familiarity with the targeted employee, eliciting a degree of sympathy for the hacker, and developing an uncalled-for level of comfort and trust that prompts the employee to violate sensible data security policies.

One frequent source of human element errors is the growing pressure on employees to provide excellent customer service. For example, a soft hacker could get in line for a transaction with a bank teller during a busy time, engaging both other customers and employees in friendly conversation while waiting her turn. Once engaged with the teller—who is under pressure to assist all customers as quickly as possible—the soft hacker could pretend not to have her photo ID, but could proffer some other semi-official document, such as an apartment lease or a traffic ticket. If the teller accepts such proof of the soft hacker's identity, then the teller might go on to violate bank security policies and reveal specific account information to a person who is not the real account holder.

Although such a security breach seems small initially, it could later be leveraged into a more damaging threat. For example, after a soft hacker develops a relationship with an organization's target employee, he or she might induce that employee to open a seemingly innocuous email containing some form of malware. Once a malware payload is released, the organization's network could become exposed to software that gains control of the system and delivers sensitive data to the attacker.

Many of the information security controls depend on human judgment, including choices about when and whether to follow data security policies and capabilities that can be degraded by illness, fatigue, boredom, or demotivational factors. As a result, the key to closing gaps left open by the human element is training.

To minimize the dangers posed by the human element in data security systems, organizations should:

  • Educate employees about likely information security threats
  • Train employees on proper data security techniques
  • Physically bar both visitors and employees from computers that can access more sensitive data than what they require
  • Monitor employees's behavior and attitudes toward secure information and its access controls
  • Encourage employees to report when other employees deviate from security policies and procedures

The likelihood of a cyber attack is only going to increase as threats become more prevalent and sophisticated. There are a number of security measures organizations will need to take, but they all hinge on defending against the human element.

Robert Moskowitz

, New Mobility Partnerships

security awareness

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs