Humans are often regarded as the weakest link in a cybersecurity program. Whether resulting from manipulative cybersecurity tactics or limited cybersecurity awareness, human errors remain the most prevalent attack vectors in every information security program, no matter how sophisticated your cybersecurity stack may be.
In this post, we examine some of the human factors facilitating cybersecurity breaches and recommend security measures for fortifying what is arguably the most fragile line of defense of every cybersecurity strategy.
What is human cyber risk?
Human cyber risk refers to potential human behaviors that could result in a cyber incident. These could include clicking on malicious phishing email links or providing sensitive internal information to unauthorized persons.
Human risk definition
Human risk is the potential for individuals to play a direct role in a security incident that may not be linked to a cyber attack. An example of this is the Microsoft PowerApps misconfiguration, which UpGuard discovered before it facilitated a large-scale data breach.
Human risks in cybersecurity are a challenging cybersecurity threat to mitigate. Unlike digital data breach attack vectors, like software misconfigurations, human cyber risks are difficult to anticipate and, therefore, prevent. Their environment-agnostic nature adds another level of complication, with the potential of impacting both digital interactions, such as phishing attacks, and social interactions, such as social engineering attacks occurring via phone calls.
What is a human vulnerability in cybersecurity?
In cybersecurity, a human vulnerability is any area of weakness that could result in a security breach. Unlike digital cyber threats, which could be exploited programmatically by reverse engineering software flaws, human vulnerabilities are exploited by manipulating human behavior.
The human element is complex, and not all individuals share the same vulnerabilities—some are more susceptible to a phishing attack than others. An experienced cybercriminal determines each person’s unique area of weakness and devises a plan to exploit that weakness to advance their cybercrime objectives.
Human cyber risks vs. Human risk vs. Human vulnerability
Understanding the nuances between human cyber risks, human risks, and human vulnerabilities is essential for addressing the complete range of human elements contributing to operational disruptions, a discipline known as Human Risk Management.
The following is a high-level example of a risk management strategy across the three primary categories of human-related security exposures as part of a Human Risk Management program:
- Human cyber risks
- Cybersecurity training
- Enforincing MFA across endpoints and mobile devices
- Cyber attack simulations
- Real-time monitoring of employee cyber risk profiles
- Human risks
- Enforcing least privilege security policies
- Improving firewall configurations
- Human vulnerabilities
- Awareness training of common scam tactics and cybersecurity risks, such as ransomware, phishing and social engineering
- Bolstering incident response plans and keeping them updated in line with the current threat landscape
Because human risks map to a variety of security incidents, they must be addressed holistically.
Examples of human risk factors in cybersecurity
Human risks are predominantly concentrated at the IT security boundary, at the interface of cybercriminals, and in an organization’s private network. This is why human errors usually facilitate initial network access to unauthorized users. Cybercriminals aim to exploit this gateway, and they have cultivated their tactics to exploit the human factors of cybersecurity with the following types of attacks:
- Phishing email attacks: When hackers send emails containing links infected with credential-stealing malware to employees to gain access to the corporate network.
- Social engineering attacks: When hackers try to trick employees into exposing sensitive internal information, either via a phone, in-person conversation, or an internal messaging tool, such as Slack.
Even without prompting from hackers, human errors can permeate the information technology boundary with the following poor cyber hygiene actions:
- Shadow IT practices: When applications and external hardware are connected to corporate networks and devices without first being approved by the IT department. Such practices create attack surface bloats security teams are unaware of, making these regions of the digital surface perpetualy vulnerable to cybercriminal compromise.
- Accidental data sharing: Sending sensitive internal information, such as customer data, to the wrong email address.
- Neglecting Multi-Factor Authentication (MFA): Failing to set up MFA for critical business accounts.
- Ignoring security warnings: Bypassing browser security alerts (e.g., ignoring “This connection is not secure” warnings) or disabling antivirus software to remove interruptions associated with a desired action.
- Delayed software updates: Postponing or ignoring prompts for system and software updates.
- Insider threats: When an employee abuses their internal credentials to access sensitive internal information that is then leaked outside of the corporate network.
- Neglecting secure communication protocols: Discussing confidential business matters over unsecured or public channels, such as personal email accounts, messaging apps, or during in-person interactions.
- Inadvertent social media disclosures: Employees sharing too much information about their workplace position and activities, such as company projects or upcoming corporate travel plans, could arm hackers with enough intelligence to launch a targeted phishing attack.
Human error cybersecurity statistics
The following statistics highlight the significant impact of human error in cybersecurity programs.
How to mitigate human errors in cybersecurity
Understanding how to formulate a successful strategy for mitigating cyber risks associated with human errors beings with understanding the limitations of current approaches
Cybersecurity awareness training is a popular approach to human risk mitigation since it’s a mandatory requirement for many cyber regulations, including GDPR, HIPAA, FISMA, PCI DSS, and NYDFS. However, this approach alone is ineffective.
Training sessions and their subsequent quizzes usually guide users to the correct answers, allowing them to mindlessly rush through each session. Simply completing a training session is sufficient to achieve a passing grade and satisfy any regulatory requirements in this area.
A 2019 study found that mandatory training sessions for high-risk employees who failed phishing simulation tests did not improve human cybersecurity. Offenders were just as likely to click on a malicious email link again after the awareness training.
Compartmentalizing human cyber risk mitigation strategies into separate human risk categories produces a point-in-time risk management framework, encouraging false confidence about an organization’s human error potential.
Even when risk detection methods produce accurate insights, they only reflect an employee’s level of cyber threat awareness at the time of the assessment. Other critical factors arising between assessment schedules, such as falling victim to identity breaches, are not considered, significantly limiting the effectiveness of risk management processes.
Depending on point-in-time human cyber risk management, which is usually a by-product of a check-the-box mentality towards regulatory compliance, undermines the “Identify” and “Protect” pillars of the NIST CSF framework.
- Identity: Expects a complete understanding of an organization’s cybersecurity risk environment at all times. Alignment with this pillar is not possible if evolving human risk factors between testing schedules are not accounted for.
- Protect: Expects ongoing safeguards for an organization’s cybersecurity risk environment, which isn’t possible without real-time awareness of evolving human cyber risk exposures.
The most effective approach to Human Risk Management is a holistic consideration of all human factors leading to security incidents, quantified as a score representing each employee's evolving cyber risk exposure.
Human cyber risk management platform by UpGuard
The most effective approach to Human Risk Management is a holistic consideration of the primary factors of human cyber risks leading to security incidents, which can be consolidated into three risk factors:
- User Identities: The potential for internal credentials being compromised, either due to involuntary online leaks or cyberattacks targeting human vulnerabilities, such as social engineering or phishing attacks.
- Applications: The risk of employees engaging in shadow IT practices.
- Data: The risk of excessive sensitive information sharing with third-party services
For an illustration of how UpGuard manages human risks across these three categories, watch this video.
The following more traditional human error mitigation strategies could still help reduce human errors leading to security breaches if augmented with a Human Risk Management platform as part of a unified Human Risk Management strategy.
Phishing simulations
A phishing simulation is a cybersecurity exercise in which employees are sent fake phishing emails to test their ability to identify and respond to these attacks. All interactions with these emails are tracked and analyzed to calculate each employee’s susceptibility to falling victim to phishing attacks.
Are phishing simulations effective?
Phishing simulations are only effective if coupled with other methods of human cyber risk monitoring. A simulated phishing attack may not occur when an employee is in a state of mind that’s most vulnerable to cybercriminal compromise, i.e., when they’re exhausted, highly stressed, or too distracted by their workload to consider the implications of their actions.
When combined with a human risk management platform, phishing simulations could reduce the User Identity factor of each employee’s cyber risk exposure, shifting the focus to other human factors increasing an organization’s risk of suffering a security incident.
Social engineering penetration testing
Social engineering testing extends human vulnerability evaluations beyond email-based attacks to include scenarios involving phone calls (telephone vishing), social media messaging, and even physical interactions.
Social engineering testing aims to determine a company's level of cyber threat awareness beyond the digital realm. This helps employees understand that sensitive internal information can also be exposed through seemingly innocuous interactions, such as sharing the company’s WI-FI password or holding entry doors open as a kind gesture to a stranger without a swipe card.
Are social engineering tests effective?
Social engineering tests effectively evaluate a company’s baseline of digital and physical cyber threat awareness. However, due to the point-in-time nature of these tests, they don’t account for the volatility of cyber threat vigilance levels of employees between testing schedules, which could result in a false sense of corporate security.
