Human Factor and Information Security

“Technical advances are not enough to produce secure environments (Metalidou, Marinagi, Trivellas, Eberhagen, Giannnakopulos, and Skourias, 2014)”. Consequences spread as technical advances occur. More problems arise when you put humans and technology together because humans are allowed to use their mind and sometimes depending on their mood things can be seen differently, based on good or evil. Problems can be spotted but it is again up to a human to try and resolve it or get help resolving it. Technology is no longer a thing of its own, security has to be implemented in every aspect of it now-a-days. Humans are more susceptible to social engineering because most humans do not think someone would use their information against them and that is exactly why employees are the weakest link when it comes to keeping assets secure. Technology was not created to solve security problems.

Employees for the most part, show irresponsible behavior by not using secure passwords, using simple passwords, not using two-factor authentication on devices or applications, all in which are very careless things that should be prevented by the organization. Many network and security leaders within organizations assume that using intrusion detection devices, firewalls, bio-metrics and other devices to help protect the network and the information within it is preventing things from occurring 100% of the time, but they are wrong because their employees can still give out that confidential information.

Since, employees have been educated about their organization and systems they can be the first point of contact to an attack. Employees are also more likely to click on links without proper education on how to inspect the links prior to opening them such as hovering over the link, viewing who sent the information, checking for misspelling in the message and seeing if the recipient is actually listed on the message verses a generic salutation.

Companies need to see that if they raise awareness within their organization it could be one of the most cost effective security measures they could implement. Many humans believe that their organization is protecting them and they have nothing to worry about, but they are absolutely wrong. It takes everyone and I mean everyone who uses a device of any sort to help protect the organization and its network. So the key to help protecting it all, is security awareness training and the need for it to be performed on a continuous basis due to employees possibility needing to be re-education every now and then and getting new employee’s who have not been training yet.

In general, to control the organization as much as possible leaders need to focus on the people, processes and technology.

Serious implications found of end-user behavior include:

lack of motivation to follow security procedures
lack of general knowledge about attacks
user’s risky behavior
user’s risky belief
inadequate use of technology

Main factors of all risks include:

excess privilege
error and omission
denial of service
unauthorized access
phishing
identity theft
malware
unauthorized copy

Many companies do not set aside enough to invest in security awareness understanding that improve the knowledge level for users and managers. Most security programs should include: discussion forms, risk events, awareness activities, newsletters, article sharing and a management center to help get the employee to understand why it is important for everyone to understand security.

Security awareness training can be performed in various ways such as computer-based learning via CD, web-based learning via internet or intranet and distance learning via mail or catalog. Within security awareness there are various topics that can be discusses using one of the methods above. Topics include discussing information security policies, system access control, system development and maintenance, personnel security, physical and environment security, security organization, asset classification and control, communication and operations management as well as business continuity management compliance. Each topic will give the employee a breakdown on how to remain aware of security issues related to the organization and how to respond to each situation if it occurs.

Overall, every organization should help their employees understand how to behave responsibly and how to report issues should they arise. With open and clear communication of these matters, it could help decrease the chances of the organization getting attacked. More companies need to implement so sort of security awareness program to help prevent humans from exposing information related to the organizations network and systems. Since there are various ways to promote awareness such as via computer, web and mail/catalog, there should be no reason not to implement some sort of security program within an organization with available technology. Security awareness is one of the most cost effective ways to protect employees from attackers and without that proper employee education attackers will continue to take advantage of them via phishing, malware, identity theft and other ways, making it costlier in the long run for the organization itself.