Cefriel presents “IT security and the human element” and analyzes the correlations between man and security and proposes an approach to risk mitigation. Cybersecurity Research Lead by Cefriel, published by the digital innovation center of the Polytechnic University of Milan, is edited by Enrico Frumento. In it we explain why it is essential for people to acquire awareness of its role in corporate defense and protection mechanisms. It also illustrates how to intervene so that they can actively participate in the prevention and mitigation of cyber attacks.
Human element and IT security: the level of maturity
As noted by Barometro Cybersecurity 2023 edited by NetConsulting cube in collaboration with EUCACS and InTheCyber, the emerging threat linked to artificial intelligence is accompanied by some gap in cyber management. Gaps not yet fully filled, especially in the supply chain and OT and IoT environments. The comparison between the level of maturity in the various sectors and the percentage of cyber attacks recorded in Europe and Italy in the first half of 2023 indicates that the Public Administration sector is still the most affected by cyber attacks, with 19% in Italy and the 23% in Europe.
In Italy the most affected is the industry sector
The number of attacks suffered by the Industry sector is also significant (17%), which appears to be more than double compared to the European average (7%). This shows that there is still a lot to do for industries on cybersecurity aspects. Among the critical factors on which to intervene, according to Netconsulting, training and resources to be allocated to investments in IT security are not always sufficient, although growing by over 12% per year.
Why start from the human element in cybersecurity strategies?
As it stands, much of the cybersecurity market does concentra on the technical aspects of an attack, while little work is done on the so-called “human element”. Central element according to the World Economic Forum’s Global Risk Report, given that risks linked to people’s behavior represent almost 95% of the total.
Human element and IT security
Enrico Frumento, Cybersecurity Research Lead at Cefriel
In cybersecurity people are too often blamed when a cyber incident occurs. As if they were just another source of cyber risk to have to deal with. But people are not computer systems and therefore need specific solutions.We should start again by asking ourselves how an analysis of threats on people can be carried out, as a company can to calculate the cyber risk represented by a person and how many effective ways to reduce it. In general, how can security be rethought starting from the so-called human element. We thought about this in writing this white paper.
Which approach to adopt?
As detailed in the white paper, people need to be part of it integral and active in the corporate defense and protection process, with the ultimate objective of inducing a stable behavioral change in people. To do this, the “human element” issue of cybersecurity must be addressed with a multicultural and holistic approach. Approach that include human factor, human sciences, governance and technologies, to guarantee sustainable cybersecurity over time both in economic terms and in terms of technologies, processes, people and skills.
Modify the attack tactics
Enrico Frumento
Given that it is scope of an attacker is always the same, attacking a person instead of an IT system involves a different process. A process that requires the edit of attack tactics, with the involvement of social engineering and human sciences, such as psychology or behavioral sciences and theories related to the management and modeling of human errors.
Human element and IT security: how to mitigate risks
Social Driven Vulnerability Assessments, like any Vulnerability Assessment or Penetration Test, are an extemporaneous sampling of cyber risk that loses validity when many variables change. For this reason we can start again from a Human Risk Management model to enter into paradigm of continuous security, starting from people.
The risk profiles
People Analytics is an approach that allows you to optimize the individual training need, linking it to the risk profiles of individual people. And this in full compliance with the legislation on the protection of personal data. In this case the advantage is to transform training from a tool for professional training or retraining into a tool for reducing cyber risk capable of increasing the resilience of organizations.