The Extent of User Domain Risk

Most cybersecurity (cysec) professionals have heard, or likely even espouse, the tragedy of the user domain. The scale and breadth of human risk from a security perspective within an organization is seen as significant. Contextualization is helpful to adequately address the magnitude of human error through the lenses of both threat and vulnerability. To state the risk bluntly, an overwhelming majority of organizations view this as the number one risk to operations including over three quarters that have experienced breaches due directly to failures in the user domain. [1]

While human error is the focus, it would be remiss to overlook both the employee and management’s role in securing the user domain. An alarming proportion of organizations report positive employee inclinations towards self-reporting, yet management often do not heed the warnings from their employees. This mistrust between worker and manager is also seen as repercussions for reporting often falling back onto employees, with nearly 90% being negatively impacted by their own security reports. This has had clear impacts on trust between worker and manager, eroding a foundational security culture which promotes awareness and behaviors writ large. Only 54% of employees value or feel valued by their security culture.[1]

A poor security culture can cascade rapidly. Cysec professionals know the dangers surrounding phishing, vishing, smishing and other social engineer attacks. At this point most within an organization should be aware with nearly three quarters of all organizations experiencing this sort of attack. Addressing this inadequacy takes an engaged awareness program, improved behavior over time, and a culture of security awareness. By non-compliant behavior, that nearly three-quarters of organizations experience, realizing staff circumvent existing security protocol is a dagger to the heart of security practitioners. [1]

An enormous proportion of organizations fear the insider threat, plan for phishing attacks, and mitigate against technical approaches to data exfiltration.[1] Most studies paint a different picture. Non-compliance, sometimes referred to as negligence, is the leading cause of cysec incidents. Only 11% of organizations blame sophisticated cyber attacks as the leading cause of security breaches — pointing directly at line workers lacking awareness and outright negligence when it comes to adhering to basic compliance. A forensics analyst and former Federal Bureau of Investigation (FBI) Special Agent states that organizations “… are realizing it’s not really an ominous cyber problem; it’s actually a people problem.” [2] But, it’s not only the line workers who are responsible.

Human error accounts for a large proportion of the security incidents experienced by most organizations. This problem is complex, for society’s role in understanding the importance of security takes more than a 30-minute computer-based exercise. Security-oriented organizations that lack a general awareness, routinize poor behavior from CEO to line worker, and promote a negative security culture are far more inclined to be vulnerable to threats both external and internal. The question really is then: why do so many organizations fail the ABCs of security, and what can they start to do to mitigate against a rapidly increasing threat?

Resources:

[1] “Insider cyber incidents: human error is the top cause of serious data breaches.” Accessed: Jun. 04, 2022. [Online]. Available: https://www.continuitycentral.com/

[2] J. JaegerTue, Feb 5, and 2013 1:00 Am, “Human Error, Not Hackers Cause Most Data Breaches,” Compliance Week. https://www.complianceweek.com/human-error-not-hackers-cause-most-data-breaches/4048.article (accessed Jun. 04, 2022).