With the advent of increased cyber security related threats, the majority of attacks point to one target, and that is the human element. Examine any survey relating to cyber security threats faced by organizations from ransomware to phishing, and these attacks all have one target in common: the human element is necessary to trigger the attack. Organizations of all sizes are battling this human susceptibility on a daily basis to keep users educated through awareness programs, technology learning systems, etc. Yet attacks are still increasing, resulting in major data breaches involving the exposure of critical organization information by targeting its weakest link. On the technology side, new approaches to prevent ransomware and phishing have been in the marketplace for years now, but still there seems to be no slowing down in the number of attacks penetrating systems. There is also the compliance standard testing that organizations employ to become certified, yet still attacks persist. Organizations now need to reexamine the approach they use to prevent attacks on their systems with technology, compliance, and user awareness programs as a supporting role. Applying human behavioral science to understanding why a user would be enticed to act on an email or social engineering bait is required. This will not materialize by an organization's user population attending a training session or by introducing some costly technology. What's needed is the addition of a behavioral intelligence officer (BIO). The BIO will need to bring in behavioral skills to answer the question of why attacks to the end user are so successful even with state-of-the-art security solutions in place. The role of the BIO position, therefore, is to continuously analyze human behavior through cyber security-related user education programs and simulated cyber attacks. Another critical function is information-gathering from various threat intelligence feeds to determine correlation to human behavior. Now what skills would the Behavioral Intelligence Officer need to bring to the table? First off, they would need behavioral science knowledge as the main competency. This know-how should be supported by information security knowledge with accompanying certification. It is to be noted that although the main focus is on understanding employee behavior as it pertains to information security, other areas of importance include understanding why human errors occur in the IT environment and developing remediation approaches in correcting this. The behavioral intelligence officer will report to both CISO and CIO as intelligence gathered would be of critical importance to both parties. Such a management structure would also help create synergy in relation to strengthening an organization’s information security program by improving on its weakest link. Certification/Training organizations should also take a serious look at creating a course structure for professionals desirous of gaining knowledge into human behavioral science, for technology and user awareness programs alone will not cut it.
About the Author: Adesh Rampat has 28 years of experience in the IT industry including 10 years in operational risk management. He can be reached at [email protected]. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
