BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

FTSE 100 And Fortune 500 Businesses Join Forces To Tackle The Human-Centered Security Problem

Following
This article is more than 4 years old.

Can the OutThink human-risk framework project solve the cybersecurity people puzzle?

Angela Sasse is the professor of human-centered security both at Ruhr University Bochum in Germany and London's UCL. She's also the chief scientific adviser to predictive human risk intelligence platform startup, OutThink, which recently completed a £1.2 million ($1.5 million) seed-funding round. Professor Sasse is to write the world's first comprehensive framework for the management of human risk in cybersecurity. The project, led by OutThink, will run for six months and is already starting to attract buy-in from some Fortune 500, FTSE 100 and Euronext 100 names. To succeed, however, it needs more collaboration from CISOs and security practitioners, which is why Professor Sasse is launching an industry-wide consultation process.

The motivation driving Professor Sasse

There's certainly little doubting that there is a human side to cybersecurity risk. You only have to read the technology news headlines whenever a major news event, such as coronavirus, strikes. The cyber-criminals looking to exploit human nature are never far behind. With phishing kits for sale that target Amazon, Apple and PayPal users, for example, the social engineering threat is now an off-the-shelf one. And that's before you start looking at other aspects of human risk.

A recent review published by the European Union Agency for Network and Information Security (ENISA) found that there were only a small number of models when it came to the behavioral aspects of cybersecurity. None of these, it concluded, were a "particularly good fit for understanding, predicting, or changing cybersecurity behavior." Indeed, the ENISA report found many ignored the context of cybersecurity behaviors and that there was evidence to support models that enabled "appropriate cybersecurity behavior" had more effect than those relying upon threat awareness training, or punishment, as drivers for more secure conduct. This was what spurred Professor Sasse to start the new initiative. "Investment in technical security measures continues to dominate the way in which CISOs attempt to manage cyber risks," Professor Sasse said, "whilst employees suffer as their productivity is hindered by limiting solutions, meaning they often circumvent security so that they can do their jobs. This framework is the perfect opportunity to right these wrongs."

OutThink human risk framework project buy-in from Vodafone Group and Centrica

Amongst those to already have expressed an interest in the OutThink project are Imogen Verret, head of security awareness at Vodafone Group. "For me, security awareness training is only the starting point," she said, adding, "I’m keen to work on the project with OutThink and other security practitioners to design a solution that works for both the business and the employee."

Dexter Casey, group chief security officer at Centrica, has said that the job of a modern CISO is far from easy, which is something of an understatement. "We all know about 'people, process, tech’ being the three pillars of effective security," Casey said, "and make significant investment to address processes and technology, but there's a serious gap when it comes to sensible guidance on the people side of security." Casey is hopeful that the framework being discussed can provide "realistic, actionable, practical advice for CISOs so that they can solve one of their biggest problems."

Is a separate human risk framework needed?

I contacted another academic, Daniel Dresner, who is an acquaintance of mine and professor of cybersecurity at the University of Manchester. Professor Dresner says that when he hears that title, a “comprehensive framework for the management of human risk,” it sounds like another worthy attempt to deal with the challenge of cybersecurity. That it is a separate framework concerns him though, and Professor Dresner says we will continue to fail to properly address security risk because "we should adopt the attitude that there is no such thing as human error, it is just people being human," adding that "mantras of 'weakest link' and then 'strongest asset' have held us back from considering technology and people at the same time." In an email conversation with Professor Dresner, he said that as soon mention of the people side of security is made then "the tired and restrictive practice of denying technology as a solution is rolled out to protect the polarization like the courtiers' fear in 'The Emperor's New Clothes." Therefore, Professor Dresner says, the important basics of the UK National Cyber Security Centre (NCSC) Cyber Essentials, designed to help protect organizations from cyber-attack, are "sacrificed on the altar of too-simple." If considered properly, he says, "you realize that the protection they afford is proportionate, and they are not that simple when scaled up. They are," Professor Dresner concludes, "as simple as possible, but no simpler."

Ian Thornton-Trump, CISO at Cyjax, is also somewhat "pessimistic about frameworks to begin with," he says, "as anyone with a background in the National Institute of Standards and Technology (NIST) cybersecurity framework can understand it's a gargantuan task to audit, let alone implement, without substantial effort and investment across the organization." Apart, that is, for a framework which Thornton-Trump calls out as existing already: "employee morale and organizational stress." It's low morale and stress that causes mistakes or security issues related to insider behavior, Thornton-Trump says, "I wonder how many S3 buckets were made public due to mistakes by IT resources that were under stress and of low morale?" Perhaps folk just need to be better managers and champions of change, he concludes.

One experienced CISO, founder of NSC42 and chair of the Cloud Security Alliance UK chapter, Francesco Cipollone, is more enthusiastic about the opportunity the OutThink project could provide. "The NIST cybersecurity framework is being widely adopted in enterprises and SMBs," Cipollone says. While organizations have initially been focusing on NIST’s pillars of identify and protect, "now there is increasing attention on the other two pillars of detect and respond," he says. So, the NIST framework provides guidance on how to detect and respond to a generic attack while the framework proposed by OutThink can focus on human risk. "A holistic view and framework focused on the risks from humans, like the insider threat or misconfiguration issues, is very much needed," Cipollone says. "The recent focus of malicious actors on social engineering in conjunction with open-source intelligence (OSINT) techniques to target the human aspect of an organization, traditionally the weakest link," he concludes, "makes this framework even more valuable."

Collaborators sought to make the OutThink project a success, here’s how to get in touch

Professor Sasse is being joined by Dr. Shorful Islam, OutThink’s chief product and data officer, who has a Ph.D. in psychology and deep expertise in modeling human behavior but knows for the project to be successful more collaborators are needed. "I am glad to have the buy-in of so many esteemed security professionals," Professor Sasse said, "it validates what we are trying to do and will ensure that the framework suits the needs of the CISO. I would invite anyone else that wants to get involved to get in touch."

If you are a CISO, security practitioner or researcher, and would like to join the project, then you can visit OutThink at booth 1647F at the RSA conference in San Francisco between February 24 and 28, or by email to hello@outthinkthreats.com

Follow me on Twitter or LinkedInCheck out my website or some of my other work here