The Vulnerability Of Human Compliance

Published Date: 02 Nov 2017

Technology and process alone cannot guarantee a secure organizational environment. Although cybersecurity policies and procedures may have been be instituted and technology within an organization may be cutting edge these elements are not alone sufficient to offer an adequately secure environment. There remains a third factor which needs to be considered. People the (human factor) are the single most important cybersecurity vulnerability facing IT managers today. However the human factor is often ignored as a third and primary component of a cybersecurity infrastructure. The term human factor does not mean the same thing to all people in the information security industry, and has been largely ignored.

Conventional Information Security

What are components of the human factor vulnerability? Information security system environments are by typically thought of existing in two parts: Technologies, and the institution of policies and procedures used to implement those technologies; also known as access control. In the two part system neither cannot function without the other in the attempt to maintain a secure organizational environment. In information security the term "Access Control" is used to manage the function of relationships between the process of policy and procedure and security technologies. Access controls have been formulated into three fundamental principles: Confidentiality, Integrity, and Availability (CIA) As defined by the International Information Systems Security Consortium (ISC)². These principles are also known as the CIA Triad. The CIA Triad by definition: Confidentiality is used to ensure authorized access for an object. Integrity is used to ensure an asset is protected against corruption or unwanted changes. Availability is used to ensure authorized entities have access to objects and within an acceptable period of time (Stewart, Tittel, & Chapple, 2011). The CIA Triad is subdivided by Stewart et al. ( 2011) into seven categories:

Preventative access control.

Deterrent access control.

Detective access control

Corrective access control

Recovery access control

Compensation access control

Directive access control

For purposes of saving space the controls listed above (Stewart et al., 2011, Chapter 1) will not be described in detail. However, it is interesting to note that none of the technology and process controls above deal directly with the issue of a human factor control. The above CIA principles are further categorized and capped Ahmed, Sharif, Kabir, & Al-Maimani (2012) using three primary techniques: prevention, detection, and response (p. 1). Here again, the human factor is not addressed in direct terms or even implied and so remains ambiguous.

The human factor

What is the human factor? Where does it appear? Author Bruce Schneier is an internationally respected security expert, and cryptologist. In chapter seven of Schneirs’ book "Secrets and lies entitled "The Human Factor", Schneier (2001) describes his impression of the human factor: "People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems" (p. 255). Egan (2005) also identifies the weakest link in the security chain as the human factor and promotes the human factor as an integral third part of the information security framework: "although technology and processes represent foundational pieces of a corporate information security framework, a third component is need to complete the picture: people" (p. 1). It is agreed that people are the weakest link in the security chain and Egan is also recognized for identifying the human factor as a critical third component of corporate information security framework. However, Egan goes astray. Egan (2005) goes on in his paper to promote the idea that an organization is comprised of people and how having dedicated information security people within an organization is key to understand and meeting the challenges of both the present and the future.

Although Egan (2005) introduces the human factor as the missing third element in the information security framework, his view is focused solely on managerial and organizational solutions. His remedy to the information security problem is to have enough security professionals assigned using a formula: "for every 1,000 employees at least one information security professional must be in place who has the credentials and experience required" (Egan, 2005, p. 1). Egan continues with "A senior-level leader should be at the head of the information security team" (Egan, 2005, p.1). Eight years have passed since Egan wrote his article and the challenges of the Egan future (is now the Egan present) and are still not being met. Egan attempted to introduce a new definition of human factor and create a new paradigm where the organizational management of information security resolves the problem. Agreed, Egan correctly identified the term human factor as the basic problem but his solution is simplistic. It is most likely that Egan developed his perspective from a report from a 2005 study done by the Information Systems Audit and Control Association (ISACA). It is interesting to note that ISACA (2005) states in it’s summary: "The information contained in this report reflects a growing recognition that information security is not just an information technology problem; it is a business problem that cannot be addressed by simply hiring information security professionals and creating impressive titles" (p. 18). Thus ISACA (2005) strangely contradicts the premise of Egans’ article (Egan, 2005).

Problems with human factor definitions

Hugl (2009) refers to the same ISACA (2005) study. He agrees that 1980’s and newer information security discussions still refer to general organizational management issues (p. 80). Furthermore according to Hugl (2009) little has changed because critical information security issues are treated much the same way as industrial safety issues were discussed in the 1980’s (p. 80). This is an example of the same disconnect that has existed between labor and management since the industrial revolution -- it has existed for as long as there have been leaders and those that are led. There exists a paradox; a dilemma: we are using the human factor of (Egan, 2005, p. 1) to solve the problems of the human factor (Schneier, 2001, p. 255). This is not just a matter of terminology -- where the human factor of management vs. the human factor of labor. It is agreed that the human factor must be considered as an organizational management security issue but that is not where the critical vulnerability of the human factor lies. If the human factor is to be seen in proper perspective then factors influencing human behavior and human error must be considered with respect to information security. These factors must be considered from the very foundations of human behavior as applied to information security systems. (Parsons, McCormac, Butavicius, & Ferguson ( 2010) agree: "An exclusive focus on the technical aspects of security, without due consideration of how the human interacts with the system is clearly inadequate" ( p. 1).

The impact of the human factor

Each of the errors above can be classified as either unintentional or malicious. However, regardless of the human mindset that initiated the behavior and thus security breach – security systems must exist to prevent both types of undesired behavior. This is true in society (ie.traffic controls) as well as information security. A recent study conducted in Zimbabwe by (Rupere, Mary, & Zanamwe, 2012) supports the fact that eleven years after (Schneier, 2001) described people as the weakest link in the security chain -- the weakest link still remains – across the globe in Zimbabwe, Africa. In this case Kevin Mitnick is cited by (Rupere et al., 2012) "humans are the weakest link in information security" (p. 1). The weakest link metaphor has seen a great amount of use within the information security industry. The human factor should not be replaced by a catch-phrase that is used like a mantra and loses its’ significance. The problem of the human factor remains one of major importance . (Rupere et al., 2012) refers to the human factor as the "missing link in information security" (p. 1). This seems a more appropriate use of the chain link metaphor (missing vs. weakest-link) because it implies a proactive approach rather than the reactive approach of the weakest link metaphor. The Zimbabwe paper includes a study (Rupere et al., 2012) which concluded that non-compliance to information technology policy and lack of information security training were the major contributing elements to security concerns (the human factor). The (Rupere et al., 2012) study found that [Figure 1.1] 70% of the end users surveyed never received IT training or referral to policy. In addition 23.2% shared their passwords on a regular basis, 39.1% sometimes left their computers alone while they were still logged in, and 37% were found to regularly open email with an interesting subject but from an unfamiliar source. The study did not take deliberate malicious or destructive behavior into consideration but instead focused on careless human error that could leave their information security environment vulnerable to threats.

Another study done by CompTIA (2012) surveyed 308 end users who experienced security breaches [Figure 2..1]. The contributing factors to these security breaches were 46% resulted from technology errors and 54% from human errors. Of the breaches due to human error the sources of those errors were 49% end user disregard of policies and procedures, 36% IT staff disregard of policies and procedures, 34% of errors due to general carelessness with regard to security and 34% with lack of security expertise with website and applications (p. 31). The CompTIA (2012) study considered both unintentional and malicious aspects of the human factor.

Approaches to the human factor

Deterrence is one example of an approach to the human factor with regards to intentional information security violations. Deterrence is a means of prevention by limiting perceived reward vs. risk and through use of moral conviction. Hu, Xu, Dinev, & Ling (2011) begin their discussion with deterrence as one method of approach to the human factor problem. The study identifies both the human factor (human agent) and then technology and policy as dependents of the human factor. Again, the human factor is identified as the third element in the policy/technology/human factor triad: "human agents are still the weakest link in the defense against outside attacks and the most dangerous to the organizations from within" (p. 54).

Hu et al. (2011) continues their study of the human agent from a perspective of criminal psychology including deterrent theory, rational choice theory, and social control theory. Their paper describes how policy offenders are more primarily concerned with the positive consequences of their violations than the negative consequences. Here is the issue of the risk and reward of policy violation vs. moral values and self-control. Although the authors Hu et al. (2011) conclude by admitting that deterrence is not very effective in reducing policy violations, suggestions are given Hu et al. (2011) for employers to help effectively manage employee information security behavior: A. Reduce the perceived benefit of policy violations by making assets less attractive, less visible and less accessible. B. Screen for applicants with a high level of self-control and strong moral beliefs for sensitive positions. However even as admitted by Hu et al. (2011), the deterrence approach is too simplistic and presents more theory than solution. It addresses the problem as an ideology of voluntary compliance "adopting high standards of organizational excellence and corporate citizenship" (Hu et al., 2011, p. 60). This is excellent in theory but as Hu et al. (2011) shows -- deterrence shrouds the human factor in sociological mystery, suggests little except theory, and offers no real solutions. Another deterrence study by Park, Ruighaver, Maynard, & Ahmad (2012) was done from an information security managers’ perspective also concludes that deterrence is ineffective, but offers detection as a more practical solution: "current deterrence strategy has little influence on reducing violations because it is only used as a prevention strategy due to the lack of means of detection." [Abstract].

Another study Ahmed et al. (2012) also uses the weakest-link metaphor to describe human error: (p. 1). According to Ahmed et al. (2012) "Although human behavior and resulting errors often facilitate security breaches: the issue is not adequately addressed by many current security models" (p 1). The study discusses the importance of the human factor as a crucial element in many security failures and states that there is "lack of empirical research in the field of information security and human errors" (p. 2) and suggests a new model of the Human Computer Interaction (HCI) be introduced. The primary study of HCI is concerned with the quality and quantity of human-computer related tasks, Ahmed et al. (2012) suggests a merging of information security with a wider HCI perspective (p. 2). This may serve to create an identifiable model that is geared towards human error but can only be mitigated through policy of which adherence is subject to human error -- again a mystery of the human factor.

Mitigation of the human factor

The human factor has been addressed and explained in various term and solutions. Technology can and will change and policy will change to accommodate technology and human behavior. However, basic human nature does not change. In a voluntary system humans will continue to err regardless of technology or policy. This is an unavoidable reality due to the complexity of human behavior. The vulnerability of the human factor can be best addressed by replacing manual compliance with automated compliance wherever possible. Research for this paper indicates very limited information exists regarding the human factor and direct automated compliance. Automated compliance systems that do exist tend to offer a twofold solution but focus on satisfying policy. Hietala (2007) describes this twofold solution: "To maximize compliance efforts, many organizations are using automated compliance solutions that address the threat landscape, while simultaneously satisfying regulatory mandates" (p. 1). The automated compliance solutions primary goal is to satisfy requirements of mandatory regulations such as the Sarbanes-Oxley Act of 2002 and the International Organization for Standardization (ISO) 27001 standard.

Figure 1.1 Data human error collected in study (Rupere et al., 2012)

Figure 2.1 Human Elements as Security Risk (CompTIA, 2012)