People Centric Security – reframing your perception

Making people a strong asset in the management of risk

During my time working in information security, it's not been unusual to hear comments like "people are the weakest link in security". I suspect, in part this is caused by the knowledge and experience of those working in the industry often coming from a background in technology. This can lead to an unconscious bias towards technology and process over people. It's true that people make mistakes but in the same sense technology controls can be poorly designed / configured and badly operated.

People represent one of the core pillars in running an effective security programme along with process and technology. Rather than viewing them as the weakest link, change your perception to consider how they can become your strongest asset.

In this article I introduce topics on security behaviour and psychological safety. I then provide some suggestions of what you can do improve attitudes, perceptions and engagement with the security team.

It can be hard to know where to even get started improving people related security. Companies typically start by providing compliance focused awareness initiatives to meet the needs of regulation or standards. If you want to make a genuine impact on improving people security you need to focus on behaviour / culture change and the delivery of secure behaviours.

You don’t need to be an expert in behavioural psychology to get started!

Secure Behaviour

A good security behaviour is a combination of walking the walk and talking the talk. Saying and doing. To change people's behaviour, you need to consider the factors that are influential in its delivery. The following three factors are from the COM-B model. Consider what you can do to improve each of these factors in your organisation.

Capability (need to know)

Do staff have the knowledge, skills and abilities required to engage in a particular behaviour?

They can't just be expected to know what you want of them. Invest in your staff so that they can develop their capabilities (i.e. report incidents, identify phishing emails) to act securely.

Motivation (need to feel)

Do staff have a reason to act in a certain way? Do they perceive a benefit in performing a behaviour overriding the competing behaviour to not do it? What is their attitude towards a particular topic?

If staff have a poor attitude to security this increases the likelihood that they won't perform them. Consider a situation where an individual perceives a security control as adding little to no value. In this scenario the individual has low motivation and is unlikely to follow the required security behaviour. This may lead them into circumventing it and perhaps even encouraging others to do so.

Opportunity (need to have)

Do external factors make the execution of a particular behaviour possible?

Communication

How are you communicating the behaviour? What scope of your target audience are you reaching and are they engaging with your communications?

Usability

How easy is it to do the right thing? Do what you can to reduce friction and make it easy for staff to perform in the right way. Removal of friction increases the likelihood of staff behaving securely.

Leadership

Do senior leaders' impact, support and lead by example? Its difficult to deliver a culture of security without having senior level support. If senior leaders undermine security initiatives or don't follow security behaviours this will influence a poor culture of security.

Psychological safety

Most staff go to work to be effective in their role. Security by its very nature can add friction into business processes making it more difficult for staff to achieve their (non-security) objectives. Information Security doesn’t exist in a silo and is there to enable the organisation to operate effectively whilst balancing that against the management of security risk.

For your security programme to be effective you want to develop a psychologically safe environment where people are comfortable in expressing and being themselves. Most people want to look smart, capable and helpful. In contrast they don’t want to look ignorant, incompetent or disruptive. This fear over perception can lead to people taking the safe option of staying quiet rather than raising their thoughts and opinions.

Making it safe

There are different approaches that you can take that will either encourage engagement or lead to avoidance of the security team.

General engagements

It is the role of the team to engage with a wide range of stakeholders across the organisation. The way you manage these engagements will impact staff attitudes and perception of security which in turn influences staff motivation (positively or negatively) to behave securely.

It is important to note that senior staff can often feel more safe engaging with others. In contrast those in lower status roles can feel less safe especially when dealing with more senior staff. Make sure you treat all staff with the same level of trust and respect regardless of their status in the organisation.

The following are some suggestions on what you can do. These may seem obvious but in my experience they are often lacking.

Suggestion	Comment
Develop a culture of listening and actively seek feedback.	Understand people's attitude / perception of security. This will help you to understand what does / doesn’t work and adapt.
Respond in an appreciative, respectful and productive manner.
Invite participation and a sharing of knowledge.	Be open to people raising concerns, questions, mistakes and ideas.
Provide constructive feedback.	Ensure you avoid being critical of the individual.
Be willing to accept when you are wrong.	This provides you with a valuable opportunity to learn / develop.
Be open to discussion / debate.
Treat staff with trust and respect.	Avoid embarrassing or belittling staff.
Act on constructive feedback.	Consider feedback and act on the information provided to you. Failure to take or be seen to take any action can lead to people feeling a sense of futility in reporting.

Incidents / breaches

The information security team need staff to be willing to report incidents and breaches. Its only possible to contain / minimise the impact of those that you are aware of.

In an incident / breach scenario there will be an increased level of fear from the individual reporting. This is due to the fact that what they are reporting often relates to personal mistakes. In this situation people can perceive it to be safer to cover up the situation rather than admit to any level of incompetence.

In a situation of heightened stress it can be easy to jump to conclusions and attribute blame to others. We each frame situations based on our own knowledge and experience. Take the time to reframe and understand situations from the perspective of the reporter rather than being quick to base it on your own assumptions.

From experience the key change you need to make relates to blameless reporting. Shift away from the belief that incompetence was to blame for an incident or breach. This will help to address staff fear of reporting.

Summary

Focus on making people a strong asset in the management of security risk rather than perceiving them as a weakness. Target your security programme at delivering secure behaviour and endeavour to make people feel psychologically safe when engaging with the security team.

A combination of these approaches will help to transform people security and develop a security oriented culture within your organistion.

For further information on delivering behaviour focussed security take a look at a previously posted article.

How to identify people related phishing vulnerabilities

Phishing is a significant threat to organisations and remains a common vector that threat actors used to compromise organisations. Whilst traditional email defences will block most malicious emails from reaching your employees there will always remain a portion that will get through. This is where the security capability of your employees is key in the detection and reporting of phishing-based threats.

In this article I’m focusing on how to gain visibility of people related phishing vulnerabilities to support in increasing the security capabilities of your own employees. Whilst technical controls remain important the people related aspects are often overlooked and under resourced. This is not surprising with many referring to people as being the weakest link in company security. A paradigm shift to seeing them as a significant asset in your defence in depth approach to security will deliver significant value and increase the effectiveness of both your technical and process related controls.

What do you want to achieve?

Your goal is to reduce the risk phishing poses to your organisation. Whilst you will never eliminate the risk, you can take significant steps towards achieving your goal through the delivery of the below objectives:

• Building visibility of people related vulnerabilities;
• Increasing the capability of staff to spot phishing scams;
• Increasing the willingness of staff to report phishing.

The following sections look at each of these objectives and describe what actions you can take to achieve them.

Building visibility of people related vulnerabilities

Undertake phishing testing against all or targeted individuals / groups at frequent intervals. Whilst they need to be operated at set intervals make sure these aren’t done too frequently (i.e. more than once every 6 weeks to the same individual) and check the timings aren’t predictable.

You will need to vary the lures, difficulty and types of phishing (link, attachment, credential harvesting) to identify which employees are susceptible to certain types of threat. Prioritise testing according to the genuine threats’ employees are proving vulnerable to.

Increasing the capability of staff to spot phishing scams

As you increasingly identify people related vulnerabilities, you will need to deliver bespoke / targeted training and awareness to help increase staff capabilities. Whilst bulk training may help to improve general capabilities around basic phishing threats, it will not help your staff to identify the more sophisticated threats that are being specifically targeted at individuals in your organisation.

Everyone is susceptible to phishing threats but at varying degrees of difficulty and lures. You need to identify these and specifically focus on addressing the needs of individuals.

Increasing the willingness of staff to report phishing

Build a culture of security where employees know the importance of their role in keeping the organisation safe. You want employees to report phishing emails quickly to give the security team the opportunity mitigate the threat before a wider audience has the opportunity to be compromised by it.

Building visibility

Visibility of people related phishing vulnerabilities can be achieved through a combination of operating phishing testing and through the analysis of genuine threats. This will provide a great insight into the types of emails individual employees are vulnerability to.

When running phishing testing against your employees you will find it challenge to understand individual vulnerabilities when the main measures you have to work with are:

• Click rate - based on links;
• Compromised rate - based on staff giving away sensitive information (data harvesting) or clicking on suspicious attachments;
• Average Failure Rate – benchmarked failure rate across different organisations.

Whilst these are useful indicators in trending progress at an aggregated (high) level, they are not particularly suited to explaining vulnerabilities at a granular level.

NIST Phish Scale

In 2020 NIST published a research article introducing a means of categorising human phishing difficulty using a method called Phish Scale. The method uses a scoring mechanism to calculate the difficulty according to the number of cues visible in the email combined with the premise (applicability, alignment or relevancy) to the organisation. Premise considers the threat within the context of both inside and outside of the organisation.

One of the key failings of using a benchmark figure to compare organisations is that the premise (context) rating of the phishing threats will vary across organisations. For instance, a phishing email themed on a technology has a far greater likelihood of being effective if a given organisation is using that technology. So what is a difficult threat in one organisation may lack relevance and be perceived as easy within another.

As with any research paper the challenge is to take it from an academic concept and apply it to provide beneficial outcomes in a real-world scenario. The method (unlike many others) can be fairly easily translated into a workable assessment tool even if this is just via a Spreadsheet.

Whilst the fundamentals behind the method are great there are still opportunities for refinement.

Phish Scale - potential improvements

I have personally supplemented the existing cues to include unfamiliar tone, overly vague and unusual request as well as updating cue names, descriptions and criteria to make them easier to understand / apply.

The common tactic section of cues suffers from being very specific. In this form, for the list to be effective it would need to be actively developed and would require ongoing maintenance to keep it relevant with changing tactics.

The list can be more effectively represented through utilisation of the 6 types of social power. Each of the existing tactics can be matched to at least one social power. I recommend reading the linked article to understand more about these. They are useful in building an understanding of the techniques used by threat actors to persuade people to undertake their desired actions.

The premise calculations provide a good articulation of context but it is valuable to detail the lure/s (something that tempts or is used to tempt) used in the email as these are important factors in understanding why certain individuals are proving susceptible to it.

Summary

The NIST Phish Scale method has helped me to fill a gap in understanding people related vulnerabilities. It can be applied to both test phishing campaign emails as well as genuine phishing emails. Through combining your existing indicators with those within the Phish Scale method you can help to build actionable intelligence that can enhance the security capabilities of staff in your organisation.