While everyone agrees that employees are the weakest link in cyber security, little is done to pro-actively assess how risky they really are. Most CSOs focus on technical security—a domain that is easier to understand, enumerate, and correct—but limit the focus of employee risk assessments to simply curtailing their network access or doing some penetration tests in conjunction with some form of awareness training. In most risk assessment models, it is the pen-test's click-through data that is used as a benchmark of employee cyber vulnerability, while the training that follows is expected to "stick" better because the employees are now jolted into awareness by the phishing test. Overtime, this combination is expected to lead to increased cyber vigilance. But how well does this paradigm actually work? Are simulated phishing attacks actually reflective of employee phishing awareness and knowledge?
This presentation will discuss the ways in which simulated phishing tests and training is presently being conducted by small and large for-profit and federal government organizations. Next, using data from actual pen-tests and different forms of training, the presentation will discuss the strengths and limits of each approach. Finally, the presentation will provide alternative ways to go beyond simply assessing clicks to more accurately assessing and tracking employee cyber vulnerability within the organization by focusing on the employee cognitive-behavioral patterns. Any threat assessment model is only as good as the data inputs in the model. With users posing some of the biggest risks, accurately assessing human cyber vulnerability accurately is not just important, it is essential.
Arun Vishwanath, Ph.D., MBA, is a faculty associate at the Berkman Klein Center at Harvard University. His research focuses on improving individual, organizational, and national resilience to cyber attacks by focusing on the weakest link in cyber security: Users. His research has been presented at leading venues from the Johns Hopkins Applied Physics Lab to the U.S. Army Cyber Institute at West Point and the United States Senate.
Brendan Griffin is Threat Intelligence Manager with the PhishMe Intelligence operations group. He has spent the past five years immersed in the evolving phishing threat landscape, monitoring the evolution of attacks. His focus has been understanding the tactics and techniques used by online attackers to accomplish their goals as expressed in the malware tools used against enterprises and individuals.
His analysis work began with static and dynamic analytic techniques, memory forensics, and network analysis to collect indicators of compromise helpful to network defenders in their mission to protect an enterprise environment. As time has passed, his research focus has evolved to also include strategic and policy concerns as well as the intersection of geopolitics and online attacks.