Human factor: an underestimated issue in cybersecurity

news

Human factor is the driving force behind most cybersecurity problems. Often, the aspect of human psychology, the human factor, does not gain the necessary attention when setting up information security measures in the organization.

female head world wide web

Human factor is considered as one of the top-10 concerns in cyberspace in 2023. It is as prominent cause of concern than external attacks. Researchers have found that approximately 88 % of all data breaches are caused by an employee mistake. So, cybersecurity is not simply a technological issue.

What does human factor mean in the context of cybersecurity?

  1. The human factor in cybersecurity refers to situations where human error results in a successful data or security breach.
  2. Human error is defined as a user error, falling for a phishing attack or a malicious insider action.
  3. It can be a result from negligence, a lack of awareness or inappropriate access controls.

Humans are considered as the weakest component in the security of any IT infrastructure and imply the greatest risks and threats to an organization.

The causes of incidents in the context of human factor

The incidents are caused both from employees with little knowledge in cybersecurity, but also from IT professionals. In the literature the human factor is divided into three large categories:

User error

The negligent employee or contractor negligence, which leads to credential theft, sums up to 74% of all insider threat incidents according to the resent survey of, Ponemon Institute, 2022 Cost of Insider Threats Global Report, and causes an average cost of $484,931 per incident.

Examples for user error would be:

  • employees are sending confidential e-mails to wrong addresses or e-mails with wrong attachments
  • using applications that can leak data
  • cases of technical misconfigurations by IT teams

The researchers have found that the main causes for human error are because of distraction while working in home office, or while employees are tired and stressed. But also, because they are working quickly and are under pressure or are burned out.

User error can happen to anyone. To err is human. It means that not only employees who lack the awareness on cybersecurity, but also IT and cybersecurity professionals, do mistakes. In our work we notice this for example when we test software that contains mistakes that is a cause of a human error.

Phishing attack

Insiders can become victims themselves due to a phishing attack. In these cases, the insiders act as a door to companies’ critical information and infrastructure. The methods for phishing attacks grow constantly. The more commonly known ones are

  • Phishing E-Mail
  • Link Manipulation
  • Fake Websites
  • CEO Fraud
  • Mobile Phishing / Smishing
  • Voice Phishing / Vishing
  • Malvertising
Phishing click-through rates depending on the department that employees work in
Source: Psychology of Human Error 2022

The research on Psychology of Human Error 2022, conducted by Tessian, delivered some very interesting results. It turned out that the phishing click-through rates vary strongly depending on the department that employees work in:

 

Data breach: the frequency of the attack vector, the average time to identify and contain a data breach by initial attack vector
Based on the IBM Security Report “Cost of a Data Breach Report 2022”

Researchers assume that the likelihood to fall for phishing attack is lower in finance, legal and operations sector is lower, due to the strict data regulations in their daily work. But this result presents again that human error can happen to anyone. The core question is how the organization is prepared for incidents like these.

Many incidents are possible only because people don’t talk to each other anymore.

There are two ground rules when one should be alerted and give extra cautious:

  • when someone puts time pressure on you and/or
  • financesor personals critical data is involved.

Malicious insider

Insider threat pose a great risk to any organization, because malicious insiders are equipped with significant amount of knowledge that allows them to place effective attacks against assets of their organisation. The attackers know where the critical information is located, where the “crown jewels” are hidden. In addition, using the inside knowledge, the time to detect the attack, is in average longer than by other types of cyber-attacks.

With insiders are several actors meant. It refers to employees, organization members, and those to whom the organization has given sensitive information and access. But also, to contractors, vendors, custodians, or repair persons. Basically, anyone that the organization has given access to sensitive information is considered as an insider.

Find out more on this issue in this blogpost

The challenges by tackling the incidents

According to IBM Security “Cost of Data Breach Report 2022”, it took organizations an average of 277 days (about nine months) to detect and report a data breach. The most common cause of data breaches in 2022 was stolen or compromised identity, with this type of attack taking approximately 243 days to detect and 84 days to contain.

The graphic demonstrates that in most of the cases insiders are involved: either as attackers or they are exploited for the purposes of the external attackers. And as mentioned above, the researchers have found that approximately 88 % of all data breaches are caused by an employee mistake.

There is not one magic tool to prevent a cyberattack

All the technical solutions help nothing when an employee opens an e-mail which is loaded with viruses. Or when the external agents get access to the organizations’ infrastructure through successful phishing, smishing or social engineering attacks.

Quite often you would hear the argument that "yes, well, but we have a firewall installed and nothing should happen." But one should not forget that a firewall is not a magic tool to prevent a cyberattack. A firewall is only an answer to existing known hacking methods. The cybercriminals develop new methods constantly, and the firewall providers only adapt to these. Not the other way around.

Organizations must be prepared for cyber incidents. Cyberattacks can get costly when not solved quickly. To counter this threat, organizations should implement an information security management system throughout the organization to secure and protect sensitive information. Organizations also need to have a business continuity management programme in place to ensure that they can continue to operate during and after an emergency or major disruption.

Most importantly, organisations need to implement a comprehensive cybersecurity training programme for all employees and contractors. The aim is to minimise the risk of insider threats arising from ignorant or careless actions by users due to a lack of knowledge about information and cybersecurity.

SEC Consult has developed several services and programs for assisting and supporting your organisation with expert knowledge in all these areas.

More On The Topic

About the author

Anna-Maria Praks
Anna-Maria Praks
SEC Consult
R&D Lead Vulnerability Lab

Anna-Maria is a professional with over 25 years’ experience in the security industry. Her areas of expertise include cyber security, defence and security policy, international relations and government affairs. Anna-Maria has worked in politics, academia and the private sector throughout her career. Since 2015, she has been working as a research and development manager at SEC Consult.

Back