Most cyber events are driven by human and behavioral factors – it’s often easier for bad actors to trick an employee to hand over their legitimate credentials or click on a bad link in a phishing email than to break into the network vi technical means only. So when an organization’s cyber risk is calculated only according to technical indicators, as is often the case, the results can be inadequate at identifying the relevant risk factors.
To accurately model cyber risk, three crucial aspects of a cyber event’s human-computer interplay must be considered: people, processes, and, of course, technology.
The people behind cyber attacks often dictate their frequency and severity. For example, a large corporation may be targeted by a number of outside aggressors—rivals, criminals, rogue insiders, activist groups, even state actors—each of whom has a unique motivation, level of sophistication, and resources. These differences will determine how often their attacks happen and how damaging they are.
But the human element of a cyber attack is not limited to intentional aggressors. According to a 2014 study by IBM, 95% of all cybercrime involves human error—an employee loses a device or leaves it unattended, creates weak passwords, or clicks on malicious links.
Or the insider could intend to attack the company. Insiders include a past or present employee, a contractor, or a vendor or other individual with privileged information about the company or its security protocols. Intentional insider attacks can be extremely damaging, partly because they may go unnoticed for a long time. That’s why keeping an eye on insiders is critical. According to a 2015 AT&T survey, 32% of respondents said inside threats were more destructive to their organizations than outside threats.
Any company’s security profile is only as strong as its weakest link. The problem is, many organizations employ or contract with individuals who do not follow security protocol.
Most companies have corporate guidelines for protecting their technology, but it is still impossible to monitor their entire network completely. This reality is exacerbated by employees and contractors connecting private devices to the company’s intranet due to the rising popularity of BYOD programs. If the oversight of an organization’s network connections is too narrow or too simple, it can create dangerous security blind spots.
It is therefore as important to consider how a company protects itself as whom it employs and what technology it uses. Does the organization teach and enforce proper protocols and industry standards across the company and among third parties? The quality of an organization’s mitigation and incident-response processes suggest how severe a cyber attack could be, should one occur.
Finally, the organization’s technology posture and technical indicators are important to understanding cyber risk. For example, what firewall protection is present, and how are personal devices on the company network monitored?
It is also necessary to evaluate the organization’s established cybersecurity software, and whether any of it is missing security patches. A detailed audit of this technology stack and its history of cyber events will show how prepared the company is for future attack.
Cyber risk models have traditionally considered only an organization’s technology. But that’s like betting on your favorite football team based only on the quality of its defense. The match’s outcome will be dictated by much more—like your team’s offense, which players are on the disabled list, and the relative strength of your team’s defense and your opponent’s offense.
As we learn more about cyber events, we know that technology, like the defensive line, is only one part of the whole. Technology must also be analyzed alongside people and processes for an accurate assessment of risk.