Human vulnerability

In contrast to technical vulnerability management from the previous article, the treatment of human vulnerabilities is primarily non-technical, but various tools can also provide support in at least one phase of vulnerability management.
Basically, a human vulnerability is anything where a person intentionally or unintentionally performs an action that leads or can lead to at least one security event. The reasons for this can be as varied as the people themselves, which is why only examples can be given here.

Vulnerability due to ignorance

If a security event is caused unintentionally, the decisive factor is usually simply ignorance or an oversight. Some examples of this are

• an email with a confidential attachment sent by an employee to the wrong recipient
• an employee does not realize that the email received is a phishing attempt with malware attached and opens the attachment
• An employee receives a call from an external number and answers the call. The caller explains that he is from a manufacturer’s support department and urgently needs access to internal systems, but the specialist department is unavailable. The employee is happy to help and provides the required information - as it is an emergency, including his account details with the necessary authorizations

The above examples may seem contrived, but they have already happened several times in this or similar ways. All examples have one thing in common: the vulnerability itself cannot be closed by technical means. However, technical means can be used to prevent or subsequently detect the security event: data loss prevention can be used against the unintentional sending of confidential information, filtering techniques before the mail is received by the user and anti-malware solutions can help against phishing mails, in the third example, access rules (conditional access) and authorization concepts can be helpful. Many other examples may require the use of additional tools, some of which are maintenance-intensive.

Nevertheless, the actual vulnerability is still not closed. It is therefore necessary for all employees to be familiar with the security policies and to develop an awareness of the possible consequences of their own actions.

This is where security awareness comes into play. Properly implemented and, in the best case, set up as a continuous project, security awareness ensures that an awareness of information security is built up bit by bit. This may also mean that employees have to read through the security policies and confirm that they are aware of them, but to be honest, you have to admit that the effect in this case is very short-lived or even non-existent. Instead, an attempt should be made to increase employees’ interest in learning about this rather dry topic. Gamification and offering prizes are just two examples of this.

Another way is the shock moment or making employees feel caught out. This method is the most effective, but should only be used rarely. In addition, no one should be “pilloried” here. An example of this method is the phishing simulation, in which a phishing email is deliberately sent to employees. The aim of this email is to get them to follow a link in the email. However, the link leads to a website controlled by the security team and gives clear indications that they have fallen for a phishing simulation and tips on how to avoid this next time.

The possibilities are extremely varied and depend on the company and the available budget. If implemented correctly and continuously, this significantly reduces the risk of employees inadvertently or through ignorance becoming weak points. Protection is therefore increased before such an event even occurs.

Intended events

The situation is different when employees knowingly become vulnerabilities. There are also many reasons for this. An employee may not be on good terms with their employer and therefore be susceptible to recruitment attempts aimed at sending confidential information in return for payment. Another employee may be extorted into disclosing information. Such incidents are relatively rare, but often cause a great deal of damage when they occur. The resources of the Security Awareness Program are very limited in such cases; for example, the criminal relevance may be pointed out. The risk can also be mitigated by carrying out regular background checks, for example - however, it must be noted that data protection should remain guaranteed here.

The detection of such events can be an effective aid in the event of intentional incidents. The tools already mentioned above, such as data loss prevention, should be mentioned here, but also the recording of events on the individual systems. In the best case scenario, a tool is used here that detects anomalies on systems and in the behavior of users. For example, an employee may have mainly sent emails without attachments in recent months and suddenly sends a large number of attachments to an external recipient. There can be many legitimate reasons for this behavior, but it can also indicate that information is being removed from the company. A thorough check may be able to limit the damage here. However, compliance with legal requirements, particularly with regard to data protection, must also be observed here.

Conclusion: it’s all in the mix

Considering the “human vulnerability” is important, but also extremely challenging. However, a mixture of measures such as a security awareness program and the use of supporting tools to detect and prevent incidents can help to significantly reduce the risk posed by this vulnerability.