Assessing the Human Element in Cyber Risk Analysis

Seventeen percent of data breaches started as social engineering attacks, mostly from email, according to the most recent Verizon Data Breach Investigations Report.  In general, employee errors, such as sending an email to the wrong person, also accounted for 17 percent of breaches. Here in lies the problem and begs an important question: “What’s our risk from the human element?”

InfoSec Insider author Chad Weinman

The problem with answering this question is that most cybersecurity professionals don’t know where to start. Often organizations are shortsighted and look at only the immediate phishing or misdirected emails rather than what the impacts are further down the attack chain. This can lead to over-stating or under-stating the actual risk. However, there is a disciplined way to assess the risk of the human element via a two-step analysis.

First, is asking what’s the likelihood that the employee will fall for a phishing email or accidentally forward a spreadsheet with customer sensitive information again? Second, what is the probability this action materializes into a data breach or system disruption — and what the potential cost of these loss events?

Put together, we have the two elements needed for an analysis using the standard Factor Analysis of Information Risk (FAIR) model. Those elements are, frequency and impact . Together these can shade the events with a probability and a dollar value.

The FAIR standard offers a way to use critical thinking to identify risk scenarios as measurable  It also puts context around loss events and offers insights into probable frequency of occurrence and magnitude of impact. This allows for a structured way to gather the correct data, which offers us a way to quantify results as a range of probable outcomes.

Using the FAIR model, let’s look at the risk from a data breach due to an employee who accidentally forwards a sensitive spreadsheet. A FAIR analysis starts with identifying the multiple assets at risk: the data in the spreadsheet, the threat actor (our fat-fingered friend) and the effect.

Now, instead of just solving the immediate problem, let’s take a look at the systemic issues behind this data breach through the FAIR lens. That includes a company-wide effort of data gathering from subject matter experts in the organization. That allows security teams to get an idea of the frequency and the magnitude of possible similar breaches in the future. Here the breakdown:

  • How often do emails we send contain confidential info?
  • How often does an employee mis-send an email?
  • Is the info in the email encrypted (reducing vulnerability)?
  • Primary cost of customer relations staff or others to clean up the email mishap.
  • Secondary costs, for instance, to offer a free year of credit monitoring to affected customers or pay out fines or judgements if they sue successfully.

With some solid data, based on the experience of the organization or industry-wide norms, a Monte Carlo simulation can be run to test thousands of possible outcomes and generate a smooth curve graph showing a range of potential losses in dollar amount on an annualized basis, with “average,” “most likely,” and other touchpoints marked. This simulation is easy to visualize for decision makers—and often surprising. Organizations tend to dismiss low-impact events as not worrying, only to discover that high-frequency events add up to costly and damaging consequences.

What can you do with the results? With FAIR, you can do a sensitivity analysis. In other words, tweak the impact of different factors in the FAIR model and re-run the simulation to test the effect of different controls.

The bottom line is, there is a way to assessing the human element. Focus on defining and costing out the ultimate events that can cause your organization loss, not the people who set the chain in motion. You can’t change human nature, but you have a better shot at controlling it if you first can identify your true risks.

(Chad is the VP of Customer Success at RiskLens. Prior to this role, Chad, has worked as an independent consultant focused on risk management and also within the Big 4. Chad is organically Ohio and is alumni of Ohio University. @chadweinman)