Managing the Insider Threat: Human-Centred Security
The goal of the panel discussion was to explore insider threat and the impact it has on cybersecurity while offering tangible solutions for mitigating the discussed risks.
The 43-minute discussion evolved around the challenge of identifying the types of threat posed, knowing what to do in response, and effecting a response in a timely manner. And demonstrating within an organisation that the response was successful.
As Dr Cunningham offered at the top of the conversation: “Dealing with people seems easy on the surface. We all are people, we know what it’s like to be a person…we’ve all made a mistake and most of the time we don’t think our mistakes made an impact – that’s not the case.” Has this mindset hindered the ability of organisations to examine the people aspect in the people/process/technology triangle? Daniel quoted a survey result that 70% of respondents said people are the most important aspect of people, process and technology - good news it seems. Oz cautioned that if you don’t consider the interplay between people and technology you are not considering the whole risk and therefore the whole opportunity.
As the scene was set the conversation went on to explore this opportunity further.
- Understanding the human aspect is an important component of the risk calculation – this is key to the work we do here in Forcepoint X-Labs.
- It is vital that organisations understand the categories of insider threat such as the accidental insider, the negligent insider and the malicious insider – the behavior of such a diverse range of personas can manifest itself in a myriad of ways as played out in what we call Indicators of Behavior.
- In response to an audience question Dr Cunningham cautioned that controlling the behavior of users can lead to compliance with the rules all of the way through to the opposite effect of rebellion – which drives individuals to a workaround. Consider if your current tools have visibility of workaround attempts.
- Similarly, the merits of effecting a change in behavior were discussed. The panel agreed that user awareness and training is the not the silver bullet it was hoped. Dr Cunningham warned that if training does result in a change in behavior that change for the positive is often temporary.
- The panel discussed the need to measure the impact of solutions – else it will not be possible to see if the change or action was effective.
- In regards to changing behavior of users within an organisation Oz offered a checklist to understanding user behaviors and their impact on risk:
- What behavior is important (to control or change)?
- What are you trying to impact?
- What risk does it relate to?
- What is the most appropriate intervention for that?
The panel went on to discuss the merits of incentivising “good” behaviour, the best way of identifying the accidental insider threat, the importance of baselining good behavior in order to identify the bad, and how a strategy of starting small on a journey to understanding user behavior can reap dividends in demonstrating effective risk management.
We hope you find the discussion useful. If you weren’t able to attend last week, the ISF panel discussion can be viewed on-demand at your convenience:
- Information Security Forum: https://www.securityforum.org/
- CybSafe: https://www.cybsafe.com/
- CybSafe’s Security Behavior Database (aka SebDB): https://www.cybsafe.com/research/security-behaviour-database/
- Understanding negative workplace behaviors: https://www.forcepoint.com/blog/x-labs/understanding-negative-workplace-behavior