The human element has to be considered when evaluating this type of risk in an organization
According to a recent research carried out by ethical hacking specialists, 17% of data thefts begin as social engineering attacks, mainly by email. Employee errors, such as sending an email to the wrong person, also represent 17% of these incidents. This is a problem and leads organizations to ask themselves, how much risk does our human capital generate?
The problem is that professionals of cybersecurity and ethical hacking don’t know where to start. Organizations often lack vision and only identify momentary incidents (such as phishing emails) instead of considering the impact over a longer period of time. This may cause the actual risk not to be valued correctly; however, there is a disciplined way to evaluate the risk generated by the human factor through a two-step analysis.
First of all, what is the likelihood that an employee will bite a cyber attack’s hook or accidentally leak confidential information from the organization? Second, what is the probability that this action will materialize in a data theft or system outage, and what is the potential cost of such incidents?
Together, there are the two elements needed for an analysis using the standard model of Factor Analysis of Information Risk (FAIR). These elements are frequency and impact. Together, these can help to glimpse this kind of events with a probability and a dollar value.
The FAIR standard offers a way to use critical thinking that allows to measure risk scenarios. It also puts the context around loss events and provides information on the probable occurrence frequency and magnitude of the impact. This allows a structured way to collect the correct data, which provides a way to quantify the results as a range of probable results.
Using the FAIR model, let’s look at the risk of data theft due to accidental leaking of sensitive information. Instead of just solving the immediate problem, you should consider the systemic problems behind this data gap through the optics of FAIR, as this allows the company’s security teams to have an idea of the frequency and magnitude of possible similar infringements in the future:
- How often do the emails we send contain confidential information?
- How often does an employee send an email incorrectly?
- Is the email information encrypted?
Magnitude of impact
- Primary cost to solve information leaks
- Secondary costs of the security incident (for example, providing free information monitoring to affected customers or paying fines and/or lawsuits)
With some solid data, based on the experience of the organization or industry standards, simulations can be performed to test thousands of possible results and generate a graph showing a range of potential losses according to the established criteria.
In conclusion, there is a way to evaluate the human factor. Focus on defining and calculating the costs of final events that can cause losses in your organization, not so much on the people involved in your processes. As the experts in ethical hacking from the International Institute of Cyber Security mention, you cannot dispose of humans without flaws, but you will have a better opportunity to handle inconvenient situations if you can identify the potential risks for your organization.