The human factor in information security
It is widely recognized that employees of an organization are often the weak link in protecting their information assets. Information security has not received sufficient attention from the point of view of the influence of the human factor.
In this article, we focus on the relation of human factors to information security, representing human vulnerabilities that can lead to unintended harm to an organization.
The human factor has a huge impact on the success and failure of efforts to secure and protect enterprises, services, systems and information. If the security of the system is overlooked by the developer, the IT system becomes vulnerable and can be exploited by an intruder. The attackers, using social engineering, try to obtain confidential information, targeting the vulnerabilities of people - that is, weaknesses in the organization due to the characteristics and behavior of people.
The purpose of this article is to analyze the human factor in the field of information security, an analysis of how information and understanding of security can become the main tool for overcoming these shortcomings.
')
Increased threats to information technology have led to new solutions focused on technological tools, while research related to human factors has been limited. Organizations often ignore the human factor. Security research from Cisco Systems has shown that users who work remotely will still be involved in activities that threaten the security system. The study of employee behavior showed that having received a suspicious e-mail, 37% would not only open the e-mail, but also follow the link, while 13% would open the attached file. In addition, after receiving a regular letter, 42% followed the link and provided confidential information, and 30% opened a file that supposedly would improve computer performance.
A survey was conducted among security professionals and IT departments to determine their top priorities over the next few months.
About 44% of respondents said their IT and security teams had spent less than 20% of their time on day-to-day operational security. Another 32 percent said they dedicated 20 to 40 percent of their time to safety. Only 20 percent of participants allocated a significant portion of their daily and weekly administrative activities to ensure the security of their systems and networks.
Human and organizational factors may be related to technical information security.
The factors affecting the security of a computer are divided into two categories, namely the human factor and the organizational factor. Human factors are more important than other factors. They are divided into the following groups:
Next, we will focus on four human factors that have significant implications for influencing user behavior.
1. Lack of motivation
Many organizations believe that employees need to be motivated to behave safely with information assets, and management should be able to determine what motivates their staff.
2. Lack of awareness
Lack of awareness is associated with a lack of general knowledge of the attacks. Common examples of lack of awareness are as follows: users do not know how to detect spyware and spyware and how important it is to specify a strong password. They cannot protect themselves from identity theft, as well as control other users' access to their computer.
3. Persuasion
Common examples of risky beliefs are as follows: users believe that installing antivirus software solves their data protection problems.
4. Illiterate use of technology
Even the best technology cannot succeed in solving the problems of information security without continuous human cooperation and effective use of this technology. Common examples of inappropriate use of technology include the following: creating unauthorized reconfiguration of systems, access to the passwords of others, obtaining invalid information. Computer security risks can be classified in several ways: privilege escalation, errors and omissions, denial of service, social engineering, unauthorized access, identity theft, phishing, malware and unauthorized copies.
A good example
The results of the implementation of the facial recognition system built on the VisionLabs LUNA platform at Pochta Bank.
Biometric technologies are used by the “Mail Bank” in the authentication process when the bank staff and partners have access to resources (about 70 thousand people in total), as well as in customer service (of which more than 4.5 million). Coverage of customers - individuals one hundred percent. Among clients of legal entities, the use of face recognition is optional (approximately 20% of them today refuse to use the technology).
The system uses a database with the results of processing more than 10 million images of unique real individuals, which are simultaneously used to train the system itself. One server of the system is able to process up to 100 calls per second, spending no more than 2 seconds for each call.
System operation statistics for 2016:
Replacing the confirmation in the two-factor authentication through the transfer of one-time passwords via SMS, the facial recognition system saved about 3.5 million rubles a year.
The projected system, according to forecasts, helped to prevent the loss from fraud in the amount of approximately 1.5 billion rubles.
Over the same period, the system saved more than 15 thousand hours of front-line staff time by automating the authentication process of 46 thousand customers who changed certain personal data in 2016.
Bad example
5 Russian banks in 2016 were subjected to a hacker attack. Sberbank, Alfa-Bank, Otkritie, VTB Bank of Moscow and Rosbank were under attack.
According to experts, attack power ranged from “weak” to “powerful”. The duration of attacks ranged from 1 to 12 hours. Some banks
A series of 2 to 4 attacks were launched. The hackers who organized the attack used a botnet (network of infected devices), which included 24,000 machines from the Internet of Things.
The Vice publication reported that behind the attack there could be "people dissatisfied with Russia's possible interference in the US presidential election."
To avoid these attacks is definitely impossible. The role played by the lack of awareness of employees about the actions of these attacks, which is an important human factor in the work of the organization.
Also, the management of the organization, in turn, had to adhere to some recommendations on remedies:
There is a constant battle between hackers and security experts. Unfortunately, the unpredictability of human behavior can destroy the most secure information systems.
In this article, an attempt was made to collect and clearly identify the human factors that cause security problems and present proposals on how to overcome them. The consequence of this is that information security is the key to mitigating security threats caused by human vulnerabilities. Organizations must develop and maintain a culture that values ​​positive security behavior. They need to inculcate their culture so that security begins and ends with every person connected with their infrastructure, their business and their services.
In this article, we focus on the relation of human factors to information security, representing human vulnerabilities that can lead to unintended harm to an organization.
The human factor has a huge impact on the success and failure of efforts to secure and protect enterprises, services, systems and information. If the security of the system is overlooked by the developer, the IT system becomes vulnerable and can be exploited by an intruder. The attackers, using social engineering, try to obtain confidential information, targeting the vulnerabilities of people - that is, weaknesses in the organization due to the characteristics and behavior of people.
The purpose of this article is to analyze the human factor in the field of information security, an analysis of how information and understanding of security can become the main tool for overcoming these shortcomings.
')
Some facts
Increased threats to information technology have led to new solutions focused on technological tools, while research related to human factors has been limited. Organizations often ignore the human factor. Security research from Cisco Systems has shown that users who work remotely will still be involved in activities that threaten the security system. The study of employee behavior showed that having received a suspicious e-mail, 37% would not only open the e-mail, but also follow the link, while 13% would open the attached file. In addition, after receiving a regular letter, 42% followed the link and provided confidential information, and 30% opened a file that supposedly would improve computer performance.
A survey was conducted among security professionals and IT departments to determine their top priorities over the next few months.
About 44% of respondents said their IT and security teams had spent less than 20% of their time on day-to-day operational security. Another 32 percent said they dedicated 20 to 40 percent of their time to safety. Only 20 percent of participants allocated a significant portion of their daily and weekly administrative activities to ensure the security of their systems and networks.
Human factors
Human and organizational factors may be related to technical information security.
The factors affecting the security of a computer are divided into two categories, namely the human factor and the organizational factor. Human factors are more important than other factors. They are divided into the following groups:
- factors that relate to management, namely the workload and poor quality work of staff;
- factors associated with the end user.
Next, we will focus on four human factors that have significant implications for influencing user behavior.
1. Lack of motivation
Many organizations believe that employees need to be motivated to behave safely with information assets, and management should be able to determine what motivates their staff.
2. Lack of awareness
Lack of awareness is associated with a lack of general knowledge of the attacks. Common examples of lack of awareness are as follows: users do not know how to detect spyware and spyware and how important it is to specify a strong password. They cannot protect themselves from identity theft, as well as control other users' access to their computer.
3. Persuasion
Common examples of risky beliefs are as follows: users believe that installing antivirus software solves their data protection problems.
4. Illiterate use of technology
Even the best technology cannot succeed in solving the problems of information security without continuous human cooperation and effective use of this technology. Common examples of inappropriate use of technology include the following: creating unauthorized reconfiguration of systems, access to the passwords of others, obtaining invalid information. Computer security risks can be classified in several ways: privilege escalation, errors and omissions, denial of service, social engineering, unauthorized access, identity theft, phishing, malware and unauthorized copies.
An example of the importance of the human factor in ensuring safety in practice
A good example
The results of the implementation of the facial recognition system built on the VisionLabs LUNA platform at Pochta Bank.
Biometric technologies are used by the “Mail Bank” in the authentication process when the bank staff and partners have access to resources (about 70 thousand people in total), as well as in customer service (of which more than 4.5 million). Coverage of customers - individuals one hundred percent. Among clients of legal entities, the use of face recognition is optional (approximately 20% of them today refuse to use the technology).
The system uses a database with the results of processing more than 10 million images of unique real individuals, which are simultaneously used to train the system itself. One server of the system is able to process up to 100 calls per second, spending no more than 2 seconds for each call.
System operation statistics for 2016:
- 4.5 thousand violations were prevented using the same photos by clients with different names;
- 9.2 thousand potentially fraudulent actions were stopped - appeals on lost or stolen passports (including the identification of fraudsters in the system database), personnel errors when entering customer data;
- four fraudsters who tried to use fake documents were detained;
- prevented about 600 attempts to use other people's accounts.
Replacing the confirmation in the two-factor authentication through the transfer of one-time passwords via SMS, the facial recognition system saved about 3.5 million rubles a year.
The projected system, according to forecasts, helped to prevent the loss from fraud in the amount of approximately 1.5 billion rubles.
Over the same period, the system saved more than 15 thousand hours of front-line staff time by automating the authentication process of 46 thousand customers who changed certain personal data in 2016.
Bad example
5 Russian banks in 2016 were subjected to a hacker attack. Sberbank, Alfa-Bank, Otkritie, VTB Bank of Moscow and Rosbank were under attack.
According to experts, attack power ranged from “weak” to “powerful”. The duration of attacks ranged from 1 to 12 hours. Some banks
A series of 2 to 4 attacks were launched. The hackers who organized the attack used a botnet (network of infected devices), which included 24,000 machines from the Internet of Things.
The Vice publication reported that behind the attack there could be "people dissatisfied with Russia's possible interference in the US presidential election."
To avoid these attacks is definitely impossible. The role played by the lack of awareness of employees about the actions of these attacks, which is an important human factor in the work of the organization.
Also, the management of the organization, in turn, had to adhere to some recommendations on remedies:
- Antiviruses (Kaspersky, Symantec, G DATA, etc.)
- Protective firewalls (Entensys, Kerio, etc.)
- Specialized means of protection against DDoS (Attack Killer, Qrator, etc.)
- Vulnerability protection technologies (Appercut, Checkmarx, Fortify, etc.)
- Specialized means to protect against targeted attacks (Attack Killer, FireEye, etc.)
Conclusion
There is a constant battle between hackers and security experts. Unfortunately, the unpredictability of human behavior can destroy the most secure information systems.
In this article, an attempt was made to collect and clearly identify the human factors that cause security problems and present proposals on how to overcome them. The consequence of this is that information security is the key to mitigating security threats caused by human vulnerabilities. Organizations must develop and maintain a culture that values ​​positive security behavior. They need to inculcate their culture so that security begins and ends with every person connected with their infrastructure, their business and their services.
Source: https://habr.com/ru/post/344542/
All Articles