While the main perception is that the “user problem” is due to a malicious party trying to trick well intentioned users, users who are unaware, apathetic, careless, etc, are more likely to be the cause of loss. Either way, the cybersecurity industry realizes this and develops tactics such as awareness, MFA, DLP, etc. to mitigate the problem. Despite all of these tactics, 90%+ of all losses result from attacks targeting users. What this talk proposes is a comprehensive strategy to address the insider threat, whether it results from malicious or well meaning insiders.
I refer to the comprehensive strategy as Human Security Engineering (HSE) and it involves creating a model that looks similar to the MITRE ATT&CK framework. The strategy involves identifying how a user loss is enabled, how it is initiated, and how loss is ideally mitigated before it can be realized. Applying HSE, security professionals can look at the entire sequence of a potential loss and determine what and where are the most cost effective countermeasures to implement. Applying individual tactics has proved to be ineffective in stopping the problem on a large scale. At least one company has begun to implement HSE and has drastically cut phishing losses.
Questions & Discussion Points
- What about those that tout the “human firewall”
- Are users really our best last line of defense?
- What is a practical way for implementing what you have described here?