KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Over simplifying, IT security means defending the IT systems from threats procured by cybercriminals. Their targets are, for example, the manipulation of systems, the extorsion or exfiltration of data, and the interruption or alteration of services. However, what happens if we have humans instead of IT systems? Given that the scope of an attacker is always the same, as aforementioned, attacking a human is an entirely different process, and the attack tactics must change. This well-known fact involves social engineering and human sciences (e.g., psychologists or behavioural sciences instead of informatics). However, from the cyber security side of the coin, what does it imply dealing with humans? What does it mean, for example, to perform convincing penetration testing or vulnerability scanning to deeply test human weaknesses: it is not merely a problem of sending a phishing email and waiting for clicks. How can be done a threat analysis or threat intelligence on humans? Moreover, how can a company calculate the cyber risk that a human represents and how many effective ways to reduce it? If we fully put humans (either as employees or IT security operators) at the centre of cybersecurity, the questions become several.
The problem is complex because, by its nature, it is multicultural and requires different non-technical competencies. It includes experts in philosophy, political science, cyber sociology, pedagogy, acting performance, etc., collaborating with cybersecurity experts. Facing the human element of security is a genuinely multicultural and interconnected approach. Furthermore, humans are coincidentally “human” and not machines: there are also ethical and legal issues to consider, and their reactions change during the day. The talk will explore and present a comprehensive view of what happens when there are not the IT systems but the humans at the centre of cybersecurity.
Over simplifying, IT security means defending the IT systems from threats procured by cybercriminals. Their targets are, for example, the manipulation of systems, the extorsion or exfiltration of data, and the interruption or alteration of services. However, what happens if we have humans instead of IT systems? Given that the scope of an attacker is always the same, as aforementioned, attacking a human is an entirely different process, and the attack tactics must change. This well-known fact involves social engineering and human sciences (e.g., psychologists or behavioural sciences instead of informatics). However, from the cyber security side of the coin, what does it imply dealing with humans? What does it mean, for example, to perform convincing penetration testing or vulnerability scanning to deeply test human weaknesses: it is not merely a problem of sending a phishing email and waiting for clicks. How can be done a threat analysis or threat intelligence on humans? Moreover, how can a company calculate the cyber risk that a human represents and how many effective ways to reduce it? If we fully put humans (either as employees or IT security operators) at the centre of cybersecurity, the questions become several.
The problem is complex because, by its nature, it is multicultural and requires different non-technical competencies. It includes experts in philosophy, political science, cyber sociology, pedagogy, acting performance, etc., collaborating with cybersecurity experts. Facing the human element of security is a genuinely multicultural and interconnected approach. Furthermore, humans are coincidentally “human” and not machines: there are also ethical and legal issues to consider, and their reactions change during the day. The talk will explore and present a comprehensive view of what happens when there are not the IT systems but the humans at the centre of cybersecurity.
Thank you everybody and thanks also to the online guys who are following my presentation. Well, we just, so one of the important aspects of security that is the, the elements of the human element into this cyber threat landscape of companies. So I'm not talking about the importance of social engineering and how much this is becoming risky for your organization. I'm doing social engineering attacks since 13 years and during these years I saw two important things.
One, that the attack tactics are more or less constantly repeating and the other one is that cybersecurity needs to beed by a more human element point of view. What does this means? First of all, this is just to say that things are repeating years after years. Just recently in Italy we had another wave of emo tech emo attacks. Actually the attacks went through a Fisher mail that was carrying a zip protected the archive with inside a macro enabled Excel file.
So actually to get infected you had to open the attachment, open the zip file, enter the password, open the Excel file, enable the macros, and then get infected. And of course at the end forget everything you done before. So you see there are different steps you get. You are required to get infected and actually this is a campaign that is very highly effective, at least in Italy it, it was hitting a lot of public administrations actually. So these things needs to be manually done by the user and therefore, what are we talking about?
Just summarizing, we are talking about the humans that are not realizing what they are doing or at least the humans, they are so convinced to do something that they are going through any technical difficulties even for example, carbon passing a password in a zip file enabling the macros, ignore the office warnings and so on. And this is exploiting essentially the same things that has been exploited since the age of Adam and Eve, more or less. So what are we talking about?
Humans, but more than humans alone. Humans plus this type of guys.
Okay, as said in the previous presentation. But another point of view, interesting way to see the things is just that we have the persons, they are getting attention by sellers, marketing experts, social network influencers for receiving advertising. But the same things happens on the other side. Actually fishing or any other type of, let's say s social engineering things is just advertising of another type of thing, of another side. Let's say at the end of the day in the criminal groups, the type of person they are most prevalent are exactly the same.
We see a lot of solar marketing experts, such are network influencer and then psychologists. And at the end of the day, the developers actually in most of the groups, developers are just a commodity. They are working for several groups, but the most important competencies are just coming from the human sciences point of view. And another thing that is the same record that was mentioned before by the World Economic Forum that was developed by IBM says that 95% of this cybersecurity problems rise from the human errors in general, human errors in general.
So even on the security side of, of the problem, not only employees clicking on a link, the problem is that much of the security market instead focuses on the technical side. So there is a essentially an imbalance between 90% of the attack, more than 90% of the attack tactics and more than 90% of the defense strategies. These things are not, let's say the, they're doing to collide in a way because we are not having enough research, enough products to face the problem from the human point of view, and this is the central of of my, of my presentation.
So just putting together all the problems we see seven pillars that makes a problem, let's say helps you to understand which is a problem. First of all, special education tracks. We spoke about the education tracks several times, but the point is that when you start doing training or awareness or learning, the point is that if you do that for cyber security reasons or to avoid social engineering attacks, you never have the point of the way to measure how much of what you said remaining in the head of persons and for how much longer. So the so so called retention factors of training.
So that is one problem. We don't have, let's say ways to measure and unless doing fishing simulations to measure the effectiveness of training and of awareness on our employees or in general on our humans, let's say in an organization, there are, there are the other point, the point too is vulnerability assessment and position testing of the human element. So fishing simulations are actually a sort of vulnerability assessment. You are going to to measure the vulnerability of your humans. But there is one thing that is missing.
How telling this vulnerability assessment results the cyber risk emissions because actually every human in our organization represents a risk for your organization depending on the things that is handling the importance of the asset, the portfolio and so on. It also represents a risks in term of personal attitudes. For example, people that have been trained on human sciences and non informatics for example, or personal attitudes for example, people that are more likely to repeat the same error in time.
So, and the same things happen for penetration testing on the human layer. So not only a part of a red team activity, but just a penetration testing on its own to to give let's say a measurement of which is actually the risk. Then the training of the DEF as a defensive instrument. This is another important aspect because actually training is going to reduce their cyber risk for the persons, for the enterprises applying training on the persons. Well what is actually missing is the concrete reduction of training on cyber risk.
So closing the loop between humans at risk, at risk cyber training as a reduction methodology and then which is the impact already the cyber risk mitigation. Then the 0.4 is the threat intelligence on the human layer here, that we have an important aspect that is not, let's say easy to be solved that are the ethical issues. We can do tried intelligence on our own humans, let's say on our own persons, but at a certain point a company must stop activities.
So we can for example, investigating inside the social professor profile such a media profile of a single person understand for example, which informations of the company are spread for errors. This morning there was a video of of secretary that was doing a photo on, on the Instagram and on the background there was a sort of password. This is a common situation but way the company cannot do and question inside the profile of a person what what she's doing because it is a personal part of the personal sphere, let's say. Then the simulation of the UN related threats and attack patterns.
This is something on the cyber crime, social engineering is the best in class. It is able to create 90% more than the successful attacks are coming from social engineering. So the simulation of the related threats is an important aspect as well. Then the other part is the AI for automation and mitigation of the attacks. On one side you have a high for automating phishing attacks. We know all that.
There is an increasing trend in generating automatically AI images, but the same things can be done for the text, for the logos, for the entire fishing email, for collecting information on the net through a, So we can automatically, almost all the steps are quite deficient automations, but at the same time we can use AI to assist humans. For example, the automatic detection deception systems, that is a category that was firstly introduced by HP almost six, seven years ago. I never went to the market concretely.
Then the human sensors network there is the network of humans cooperating each other collaboratively with instruments or the seventh point at is integrating estimation of the cyber risk. You know all that IT risk is things OT related to industrial. Operational is another source of risk. Most often what we forget is the presence of another source.
Again, that is the humans. So we are still missing and integrated the risk, cyber risk management, estimation management and mitigation framework that includes everything, it, OT and humans. This is not yet present I would say. And the other part is that of course when you are dealing with humans, you are dealing with another completely set of let's say, I would say assets with between commons. So if you are using IT sciences or hard sciences to handle the IT part of security, when you deal with the human part of security, you need a completely different type of mindsets.
For example, psychologists, cognitive sciences, most of all IT access as well. Of course psychology, cyber psychologists, psychologists, cybersecurity experts, philosophy, political science, marketing, pedagogy and so on. All people, they are not used to talk about cybersecurity. As a matter of fact, in the last years I went to different university speaking about cybersecurity for example, with psychologists or with marketing people or with designers. And most of the time it is interesting because they on one side giving me more ideas of attacking people.
On the other side, they have specific ideas on defending people. For example, one thing that is coming prevalent in these years is the behavioral design. So designers, they are applying to design the behavioral persons of course to be more secure in this case. Well these are more or less the same lines. I spent more time on the first slide, so I will go through this more rapidly because I I, I spent on the same slide.
My, what I would said will, I've said in this, but anyway, the point is that special education tracks one point that is very, let's say very problematic in training is that no one knows how to measure the effectiveness or also the return, so-called return of training investments. That is the things that are hardly measurable. You don't know how long the people retain what you told them and whenever they will start again to the same things cuz sooner or later we start again and this done, this is must be done of another important aspect is this must be done at several layers.
I've rolled their goal team, IT expert employees because one of the things I even in the talk before is that everyone talks about employees. Well the humans are not only on the employees side, they're also on the IT side. For example, human errors. When there is a real emergency, what does the IT security incident management team do? They are panicking, they are applying the correctly, the policies, procedures, KPIs.
Well, most of the time, for example, they have been trained in a cyber range that is a simulated environment. They know that they are participated to assimilation. They are not, let's say, putting their work or their salary at risk in a cyber range. So most of the time they realize that there is something they are not able to handle immediately when there is a first attack. So simulating the first attack at the human layer, especially pointing the, the finger, not on the technical side of the fence, but on the reactions of humans.
That is important and this is the, just the two types of vulnerability assessment, operation testing that I said before, one for employees, that is more or less the simulator fishing and the other one for the defenders there is simulated attack where I'm not going to stress the technical aspects of the defense, but the human aspects of the defense, that is completely different type of things. So training as a defense instrument, I said one important word that is inside this slide is the concept of people analytics.
People analytics is a way to collect the data from the HR department, from the portfolio management system and from the personal attitudes of the single persons. Blend all these things together and bring out a cyber risk estimation of that the the person represents for the company.
Then use, use an AI to let's say define the best training vector, the best training or I for that specific person. Of course, the ideal point is that you would collect everything about a person in order to complete the cyber risk estimation that the person, the risk that the person represents for the company, but at the same time you have problems of ethics, of legal, of lab or legislations and so on. So there is a limit in this side of cybersecurity. Then you cannot cross of course then the trade intelligence on the human layer. That is open source intelligence.
Of course you can do it, but at the point you have to deal with the fact that you are hitting personal information. So there is a limit on this. Another important aspect of research is the human hapo. That is interesting as well as the technical on APOs. It is a matter of simulating a human in clicking through males in exposing on the social, of course a year 12 person just to attract new fishing campaigns, new things like this that is not the, that develop is still research, but an interesting element by my point of view. Then AI for mitigation of the hum related threats.
One important thing is what I said before, the anti deception and detection systems, there is something that assists you. For example, there is something, for example, to identify that a picture of a person on a profile on social media is generated by an ai. There is even a chrome extension that allows you to say this is generated image by an ai, but in a way it is also valid for voice, for email, for text, for everything and this is something that is still not that level of, there are a lot of research still going in this area.
I would say then the integration of risk that is the last, let's say point that brings to the, let's say final wrapping concept. That is how can we measure in an integrated way all the sources of risks, itt, OT, for those companies that have industrial staffs, but of course also the humans most of the times, Well, I rarely seen models to let's say measure or estimated the risk possessed by humans.
For example, when you do a fishing simulation or a simulation of an attack against the defenders, you collect a lot of data, the impulsivity of the attack, the number of victims, if they are clicking despite having received the training or if day even forwarded the email to someone else, for example. This happens very, very often. The point is that all this information that collecting through efficiency simulation or through a simulator attacks are good also to feed a cyber risk model. Well on the market.
There are very few of these type of things and is a is a topic in which research is still lacking and that was the last one.
