Podcast | HAIS-Q: A smart solution to cyber security
How can you reduce the risk of cyber-attacks?
While many turn to technological solutions for protection, a team of researchers in Adelaide is looking at how people influence an organsation's information security.
[Music plays and fades]
Alison Caldwell: Hi, I'm Alison Caldwell with another podcast from Defence Science and Technology.
Alison Caldwell: In today's podcast: we look at how DST and the University of Adelaide have partnered to understand and assess why people are the weakest link in the information security chain.
Alison Caldwell: Right now, your company or organisations could be under cyber-attack by criminals looking to steal your most valuable assets. Increasingly, they're breaching computer security systems by targeting the weakest links in the information security chain – people.
But, as this podcast explains, experts from DST and the University of Adelaide have come together to create a tool they believe can transform information security perceptions and practices.
Computer hackers are like voracious termites.
Silent and stealthy, they get in and attack the most accessible 'sweet spots' in the digital security framework that protects your company or organisation's assets. They could be after your bank account details, your intellectual property, or your client's confidential details.
What's worse, you may not know that it's happening until it's too late to prevent very costly – even catastrophic – consequences.
So, how do hackers bypass firewalls, or intrusion detection and encryption?
It's tempting to think they're all genius tech-heads.
The reality is often much more mundane – but no less malevolent.
These days, cyber criminals simply target the weakest links in your information security chain: You or your employees.
A 2014 review of information security breaches by US technology giant IBM revealed that attackers are increasingly focussed on trying to breach an enterprises security infrastructure by targeting employees themselves. What was fascinating – and disheartening – is that human error was shown to be a contributing factor in more than 95 percent of the incidents IBM investigated.
Not surprisingly, personality traits may make some individuals more susceptible than others. One critical human characteristic is called cognitive reflection. It determines how well a person analyses details rather than simply going with their gut. The more analytical the person, the less susceptible they are to dodgy emails designed to elicit sensitive security information.
Developing techniques to improve the analytical decision of each individual could make them less vulnerable to decisions that leave an organisation open to attack, such as by malicious emails or the careless use of social media. We'll examine their impact later in this podcast.
Information security specialist Dr Marcus Butavicius says too many companies and organisations are open to attack because they rely solely on technological safeguards, countermeasures and controls such as anti-virus software and firewalls.
Dr Butavicius heads up the DST's Behaviour and Cognition Team within the National Security and ISR Division. He and his team joined with experts from the University of Adelaide's Business and Psychology Schools to find a way to assess how certain individuals contribute to the strength – or weakness – of an organisation's information security.
They've developed the Human Aspects of Information Security Questionnaire or HAIS-Q. The HAIS-Q has undergone trials with public service organisations, a financial institution, a university, and individuals from the general public and a published version is now available in the journal of "Computers and Security" for anyone to use. Other versions for specific Defence domains are currently being developed.
The online survey allows managers to examine the information security culture and awareness among their personnel from a non-technical perspective. It looks at different human behaviours – ranging from password management and information handling, to the reporting of suspicious incidents, and how they use email, the internet, social media and mobile devices. The survey's results reveal potential vulnerabilities that can then be addressed through education, training and awareness programs.
As mentioned, phishing emails and careless social media use are behind a number of information security breaches today.
Spelt with a 'ph', phishing doesn't involve fish, but it does involve bait – bait that's calculated to lure and reel in unwary victims. Hence the name.
Phishing is any malicious attempt to obtain sensitive information such as usernames, passwords, and credit card details, usually via email. It's usually done by disguising the sender as a bank, insurance company or other familiar and trusted entity.
Phishing attacks and fraudulent websites are becoming increasingly sophisticated. They employ convincing visual tricks and rely on current security indicators failing to detect them. According to Microsoft, the annual worldwide impact of phishing could be as high as $5 billion.
What can you do to reduce the risk? There are several steps everyone can take.
In addition to good technical safeguards (like keeping your software up-to-date and using anti-virus software), we need to look at our behaviours when using computers to ensure good security. As an individual there are a number of things you can do including:
- use strong passwords and change them regularly
- beware of suspicious emails and phone call
- be careful what you click on
- report suspicious behaviour in the workplac
- be careful with what you post on social media
- don't access work files on your laptop when using public wi-fi.
And for organisations: they need to develop a staff culture around information security that involves good education, training and awareness.
The use of social media continues to grow rapidly, bringing with it more sophisticated and dangerous information security threats. Perhaps surprisingly, the fastest growing demographic of social media users is the over 35s – the very people more likely to be in middle or upper management positions.
Doctor Butavicius believes all companies and organisations should adopt a two-pronged approach to social media. Firstly, they need a clear and enforceable policy surrounding its appropriate use. Secondly, the policy must be complemented with personalised and meaningful staff education – ideally integrating case studies that bring home the less obvious pitfalls of lax security.
The South Australian Collaboration Pathways Program has provided funding to further develop the HAIS-Q into an advanced security audit tool. Future research will help to further refine it into a more complete information security solution able to make individuals less vulnerable to cyber threats now and in the future.
As our dependence on information technology increases, understanding the ever-changing information security landscape has never been more important. The HAIS-Q and other work conducted by Dr Butavicius' team moves us one step closer to better understanding why people are the weakest link in the information security chain, and how they can become its strongest defenders.
[Music plays and fades]
Alison Caldwell: If you want to learn more about DST's research follow us with @DefenceScience on Twitter, or download the DST App from Google Play or the App Store.
The Defence Science and Technology podcast is a production of the Defence Science and Technology Group, part of Australia's Department of Defence. That's all for now. See you next time.
Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., & Zwaans, T. (2017). The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Computers & Security, 66, 40-51.