According to NIST (National Institute of Standards and Technology), a “Vulnerability” in Risk Analysis context is defined as a”flaw or weakness in system security procedures, design,implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system,s security polity”.
An organization undertaking a TIA (Total Information Assurance) program needs to identify the vulnerabilities in all three dimensions namely the Technology, Law and Human Resources.
In this article let’s briefly focus on some of the vulnerabilities in the human system.
“Social engineering” is one of the most successful attacks on system security that causes data breach time and again. For a Social Engineering Attack (SEA) to succeed the organization must have vulnerable people inside. The organization trying to mitigate the human risks therefore needs to identify its weak spots and fortify them.
Human risks arise because of various reasons such as
a) Faulty recruitment
b) Faulty training
c) Faulty personnel management
At the time of recruitment it is necessary for an organization to do an effective “background check”. Normally “Background Check” is understood as checking the educational documents submitted or the previous employer’s confidential report. These are of course necessary but are not sufficient. What is important is a “Psychographic Analysis” of the employee and its mapping to the known organizational work conditions. To achieve this, the candidate may need to be subjected to an appropriate “Aptitude Test” through which his psychographic profile can be mapped. Some of the attributes that need to be assessed are “Propensity to deviate from procedures”, “Ability to meet stress”, “Attitude towards Authority”, “Attitude to revenge”, “Attitude to Money”,etc.
It is necessary to understand that no person is perfect and hence it is natural to find some elements of “Undesirable traits” in every employee. Some times a “Trait” is a reflection of circumstances and an employee may change significantly over time. Expertise is therefore required to make a proper assessment of the results of the tests without unfairly branding any new employee. But observations made are to be used for designing an appropriate tracking mechanism to follow the employee’s development in the organisation over a period of time.
This should be followed up during the course of employment with appropriate training based on the TISM model (Theory of Information Security Motivation) which includes three elements of personnel management namely Awareness, Acceptance, Inspiration, besides Availability and Mandate. Strategies such as “Whistle blowing”, “dispute resolution through ombudsman” etc are additional measures that an organization needs to consider
Further, when a person leaves the organization, an analysis of the “Exit Interview” is also required to review the mistakes committed by the organization and improve. It is obvious that the “Exit Interview” has to be conducted by an authority with which the outgoing candidate is likely to express his views freely and in good faith. It is also necessary to accept that most of the exists are under stress and disappointment and a certain level of negative feeling about the management is normal. They have to be interpreted properly and without causing undue damage to the existing employees.
It is clear that dealing with human risks is not a simple HR function. In fact most organizations may not have in-house expertise since the HR functions may be over burdened with the day-to-day affairs of managing the new recruitment, allocation of personnel to different projects and attrition related issues. “Evaluation” of behavioural aspects of people has to be handled by experts in behavioural science with adequate under standing of Cyber sociology, Cyber Criminology and related aspects.
The subject of “Cyber Space Behavioural Analysis” is an emerging field of study and an important ingredient of HR personnel’s training in future.