In a session at the Infosecurity Europe Virtual Conference, a panel of security experts were asked to define the human element of risk to help organizations quantify and manage it.
David Boda, head of information security at Camelot (National Lottery) said that a significant factor in defining human risk is understanding that a large amount of human risk is generated as a result of accidental actions.
“There’s obviously a place for monitoring malicious activity, but the vast amount of what I see is accidental and human behavior often comes down to people just trying to get their jobs done but struggle to do so for whatever reason – and that creates risk.
“I think it’s our job as security professionals to try and understand the root causes of that and try to help people to do their jobs in a risk-managed way.”
For Dr Jessica Barker, co-CEO of Cygenta, defining the human element of risk requires us to put the human at the forefront of processes at all times. “When we’re defining the human side of risk, it is important we consider the fact that, with all technology or element of security, people are involved at every stage of the lifecycle – the designing, developing, use, testing, destroying or deleting.”
Therefore, we need to think about our developers and how they are trained in cybersecurity, “taking the conversation much wider than just to people that are using technology,” she added.
Mark Osborne, CISO of JLL, also highlighted the important role that CISOs must play in defining and managing human-related risk.
“Most CISOs tend to like a ‘bogeyman’ – they want to make a bit of a drama [of human risk]. We’re always talking about the ‘insider threat,’ but really even the most educated and diligent user is going to click on a phishing link. I think, in this day and age, breaches can not only be classed as accidental, they’re also down to neglect or a lack of intent to comply.”
Osborne argued that the security rules implied on businesses therefore need to be better-enforced by CISOs who are the ones that “tend to let the side down, rather than the users.”