Risk

11/13/2018
02:30 PM
Shay Colson
Shay Colson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Empathy: The Next Killer App for Cybersecurity?

The toughest security problems involve people not technology. Here's how to motivate your frontline employees all the way from the service desk to the corner office.

Empathy is not often associated with cybersecurity. Former Facebook chief security officer Alex Stamos made reference to this idea during his 2017 Blackhat Conference keynote, noting that "we have a real inability to put ourselves in the shoes of the people we are trying to protect," and encouraging security professionals to "have empathy for the people that use the technologies we build."

Unfortunately, as Stamos astutely noted, both security and software professionals tend to approach problem solving with an eye toward problems that are glamorous, complex, or sexy rather than ones that are most common or affect the largest number of users.

In reality, those with the most direct exposure to serious cybersecurity challenges are also the least prepared to handle them. Think of the frontline employees who are bombarded with phishing attacks, software updates, and deadlines around the work they're trying to accomplish. Or consider organizational executive leadership and boards, who often struggle to understand the mechanics and potential impact of today's cyber-risks.

Cybersecurity practitioners should heed Stamos' advice and work hard to empathize with "the people that use the technologies we build." Technology, ultimately, should serve those who use it and empower them to achieve more than they otherwise could. Empathic approaches to technology, people, and organizational processes are critical in building operations that are both secure and sustainable. Below are three specific examples where applying empathy can enhance security.

Third-Party Risk
In recent years, third-party risk has become a pressing concern. Whether it is the torrid tale of Target's HVAC vendor or the NY Department of Financial Services Cybersecurity Requirements, third-party risk is under the microscope like never before. Empathy goes a long way toward giving security teams a deeper understanding of third-party risk because the risk hinges on both the security posture of the third party and the relationship with the external firm and service provided. It is important for cyber professionals to remember that every third-party engagement is chosen for a business reason, which must also be accounted for in the overall risk analysis.

For example, beyond the standard approach of asking what organizational data the third-party has, we must understand how critical these resources are to business operations. Does your organization have a plan to replace their functionality on short notice? What other elements of the relationship are at play (such as strategic partnerships, regulatory drivers, etc.)?

An approach that is exclusively technology-focused will almost certainly miss important elements that must be accounted for. Empathy helps round out the risk assessment and allow a more holistic risk-based decision to be made.

Phishing and Social Engineering Attacks
Business email compromise —  the term for fraudulent emails designed to get corporate financial custodians to send money to bad actors under the guise of helping the CEO —  is fundamentally an empathy issue. Attackers are leveraging psychological and organizational weaknesses to the tune of about $12.5 billion in profit. Adding empathy helps solve this security challenge in two specific ways involving policy and processes:

An open-door policy from executive leadership encourages employees to approach executives directly any time something doesn't feel right, or they want to check on the legitimacy of a request. This policy has the added benefit of generating interaction between leaders and engaged and aware employees.

A business process requiring confirmation with the CFO either in-person or via direct-dialed voice for any transaction over a certain threshold should also be encouraged. Instead of trying to respond as fast as possible for fear of looking inattentive, this practice would motivate employees  to double-check such a request in a way that is difficult to spoof.

Penetration Testing
Penetration testing stands out as an example where technology solutions can be immensely enhanced by empathy. There are many software tools and platforms that perform automated scans, one-click exploits or other similar functionality. Indeed, utilizing a pre-configured penetration testing tool like Burp or Nessus is table stakes in 2018, and most organizations should already be performing this level of self-analysis.

A human-centered approach to this problem looks more like BugCrowd or HackerOne. According to a recent report from HackerOne, the humans powering their platform discovered and reported over 72,000 vulnerabilities (as of May 2018), with more than 27,000 of those discovered and resolved within the last year alone. While there's no doubt that these hackers are using technology tools to help them find vulnerabilities, it is the human element that creates effective penetration testing practices at scale.

Ultimately, the next "killer app" for cybersecurity won't be a matter of doing more, faster. Instead, we must empower humans to make better decisions — including those at the front desk all the way up to those in the corner office. The most effective thing we can do as security professionals is double down on the human element and develop empathetic solutions to these fundamentally human problems.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Shay Colson, CISSP, senior manager, CyberClarity360, joined Duff & Phelps from the US Department of the Treasury to lead the assessment team for CyberClarity360. He has over a decade of experience in cybersecurity and information assurance, with a focus on designing and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lzzg
50%
50%
lzzg,
User Rank: Apprentice
11/21/2018 | 4:35:42 AM
Re: Interesting article on Emphathy
THANK YOU
shaycolson
50%
50%
shaycolson,
User Rank: Author
11/16/2018 | 4:04:52 PM
Re: Interesting article on Emphathy
Todd - 

Great questions and discussion here. Thanks for reading and for continuing to engage.

I think you setup some potential answers in your own response here - it comes back to a human to human engagement. To your point on why insider threats manifest, those are all things that can be overcome by businesses through human connection. If people need validation, recognition, or respect, that's something that leadership can either actively provide or decide that the employee doesn't fit and take a different direction.

If the needs are external (financial, family issues, etc.) - employers can go a long way towards making meaningful accommodations in that space, as well. Unlikely that they can resolve them entirely, but a little empathy here goes a long way.

Finally, to your first point about the front-line, heads-down workers who either don't see security as their responsibility or who don't feel empowered to act, that's exactly the point of the article. Companies who encourage a culture of risk ownership, high engagement, low levels of fear about making a mistake or speaking up will be able to scale the value of their human resources much more than those who can't. I would offer that in an organization where a junior accounting person feels they can't raise an issue when something doesn't look right (or after they've clicked and realized it wasn't right), the fault rests on the leadership and their culture rather than the employee or their cybersecurity training.

Business is a team sport, and if we can't get everyone on the team to play together, there's no way that we're going to make any progress.

Cheers,

Shay
tdsan
50%
50%
tdsan,
User Rank: Strategist
11/15/2018 | 12:45:50 PM
Interesting article on Emphathy
→  it is the human element that creates effective penetration testing practices at scale.

I am just curious, how do you go about improving the human element when employees don't really seem to get or understand cybersecurity. They think if they keep their head down and remain quiet, then they won't draw any attention to themselves.

I will give you an example, if someone is working with their head down and they are in accounting. They click on a link and the link says that they owe money to a vendor. The email came from the vendor but it was a phishing attack (the person's email account list was exposed to the hacker) where the pdf and link to update the banking information caused the person from accouting to act. Now this person has been trained for over 20 yrs in the area of security from this organization but thought this was a valid transaction. The amount of money from a realistic perspective may not have been alot, but this still happened.

To a trained engineer, they would have caught the mispelling of the name, the dns name not being corect or the address and pdf information being somewhat off.

But to the regular joe, this seemed reasonable. I am not sure if we can totally protect against this type of attack. I do agree there are certain things we need to do in order to mitigate the attacks but within a group of people that could range from 1K - 1M in number, with different skill sets, then I am not sure how you can defend against this type of attack. Threre needs to be some sort of AI/ML (Machine Learning) integration that assists the user in making the right decision because hacks continue to take place everyday even with controls and policies in place.

There is another discussion that could piggy back off of this discussion, the gap b/t the "haves" and "have nots". At the end of the day, people steal for three reasons, for political, economic and/or respect (just to show that they could do it). What we need to focus on is the psychological aspects of our society, there is an intrinsic problem with the way we think, because everyone has a breaking point and if pushed hard enough, every person will go down that path. Remember, for some people, it may not be about money, it could be that they need a specific drug for a parent or loved one, a child is suffereing or does not get into the school of choice.

Just remember, our society is delicate and if it is swayed one way or the other could cause catastrophic wave that effects everyone, the deep problem is not the hack, it is the way the way we think and how we think that needs to change.

Todd

 
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: New camera 2FA closed loop!
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20059
PUBLISHED: 2018-12-11
jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.
CVE-2018-20056
PUBLISHED: 2018-12-11
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. There is a stack-based buffer overflow allowing remote attackers to execute arbitrary code without authentication via the goform/formLanguageChange currTime parameter.
CVE-2018-20057
PUBLISHED: 2018-12-11
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. goform/formSysCmd allows remote authenticated users to execute arbitrary OS commands via the sysCmd POST parameter.
CVE-2018-20058
PUBLISHED: 2018-12-11
In Evernote before 7.6 on macOS, there is a local file path traversal issue in attachment previewing, aka MACOSNOTE-28634.
CVE-2018-20050
PUBLISHED: 2018-12-10
Mishandling of an empty string on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via the ONVIF GetStreamUri method and GetVideoEncoderConfigurationOptions method.