Phin Security

Understanding Human Vulnerability Management | EP 002

The episode emphasizes the critical importance of human vulnerability management in cybersecurity, highlighting that 82% of breaches involve human error, and critiques the stagnation of traditional security awareness training methods over the past 25-30 years despite the increasing integration of technology in daily life.

Today, the focus is on the human side of phishing. If you don't understand the importance of training your staff to recognize their vulnerabilities, you leave your business open to multiple threats. It's not a matter of if, but when it will happen to you.

Full Episode 002 Transcript

Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.

In the last episode, I talked about phishing, what it is, and how to prevent it. Today, I'm going to focus on what I call the human side of phishing. According to Verizon's Data Breach Investigation Report (2022), 82% of breaches involve what they call the human element. Let's dive into that a little bit, figure out if that's really accurate, and talk about some issues around what I call human vulnerability management.

The History of Security Awareness Training

People have been fooling others, tricking them, and stealing their money since the dawn of humankind. However, security awareness training as we know it probably started about 25 or 30 years ago, with the dawn of email when everyone started using it to communicate. If you want to go further back, phone phreaking could also be considered the start of phishing and, by extension, awareness training.

Security awareness training has largely consisted of training videos, phishing assessments, and policies for the last 25 years. While the videos have improved, phishing simulations have become more realistic, and delivery has gotten better, there hasn't been significant change, even though technology's role in our lives has increased dramatically.

Why Hasn't Training Evolved?

Twenty-five or thirty years ago, most people weren't even on the internet regularly. Now, technology is everywhere—on our phones, watches, and more. So why hasn't training people to recognize threats evolved alongside technology?

Human Vulnerability Management

Human vulnerability management is the act of incorporating an individual's behavior into how they are continually assessed and trained to recognize how they are uniquely vulnerable to social engineering. It's about allowing individuals to uncover their own vulnerabilities and teaching them how to recognize and address them moving forward. This approach treats people as unique individuals and works with them one-on-one.

At some point, your security gateways, web filters, and endpoint detection and response (EDR) tools may fail. Security is a layered approach, and it's a matter of when, not if, a breach will occur. At some level, a human will have to recognize what's going on and stop it. Human vulnerability management brings this full circle by arming people with the ability to recognize their unique vulnerabilities.

The Evolving Threat Landscape

Social engineering and phishing are constantly evolving. The attacks people face change rapidly. It's critically important that people in your organization recognize what's going on around them because, eventually, technology will fail. An attacker only has to be right once; a defender has to be right all the time. The odds are stacked against defenders, so humans must be prepared to step in.

Critique of the Human Element Statistic

There are some issues with how Verizon's Data Breach Investigation Report classifies the human element. Quoting statistics can make the problem seem vast and unsolvable. However, if Verizon's claim that 82% of breaches involve a human mistake is accurate, humans need to recognize threats before they become larger problems.

The Security Awareness Market

The security awareness market is growing rapidly, yet the rate at which humans are responsible for breaches has also increased. This raises the question: How is it that the market is growing, but humans feel less supported and are more vulnerable than ever? There are many possible reasons, but ultimately, if a human recognized what was happening, that data point wouldn't exist in the breach report.

Adapting to Change

Security awareness training programs should account for the ways social engineering changes over time. If you lock in a program at the beginning of the year and don't change it, the security landscape will have evolved, and your program may not equip people with the necessary skills.

Vulnerability Management Steps

In technology, vulnerability management involves five steps:

  1. 1.Assess the threats
  2. 2.Validate they exist
  3. 3.Prioritize the ones to address
  4. 4.Remediate those prioritized threats
  5. 5.Verify that remediation has occurred

In security awareness today, we mostly have the first half of "assess"—we assess via training and phishing, but we don't validate other vulnerabilities, prioritize, remediate, or verify. Just because your phishing rate goes down to zero doesn't mean your organization is 100% safe. Sometimes, phishing emails are caught by filters, or everyone gets the same phish at the same time, which isn't realistic.

The Importance of Up-to-Date Training

Your employees are the most important key to keeping your data and company safe. You need an up-to-date awareness training program to do that. Next time, we'll discuss what a security awareness training program should look like, what to care about, and why it matters.

Thanks for tuning in to Gone Phishing. If you want to find out more about high-quality security awareness training campaigns and how to launch them in ways that actually engage employees to change their habits, check out Phin Security at phinsec.io.