Magazine article Risk Management

Engineering Human Security

Magazine article Risk Management

Engineering Human Security

Article excerpt

Corporate IT environments are vulnerable to a wide range of cyber-threats. Those ill charge of information security have therefore had to invest significant resources into the implementation of diverse technologies designed to protect both data and IT infrastructure from those threats. All of these investments can serve an important role in safeguarding today's highly IT-dependent enterprise, but by themselves they are inadequate. In fact, over-reliance on security technology can actually put an organization at risk because such a large percentage of information security breaches are actually the result of faulty human behaviors, rather than hardware or software vulnerabilities.

So, while information security managers must certainly use technology to prevent malicious intruders or internal users from hacking their way into sensitive systems, they must also act aggressively to ensure that company employees do not unwittingly compromise sensitive data by simply handing them a key or opening a door.

Examples of so-called "social engineering"--taking advantage of a person's naivete or goodwill--abound. One classic example is that of someone who was able to get full access to a bank's network by posing as a copier repair technician. In another instance, an employee of a state university sent a list of students (including their social security numbers) to someone posing as legitimate recipient. There are also many cases where companies or individuals have left laptops unattended or shipped backup tapes in a non-secure way, enabling thieves to walk away with media containing thousands of individuals' personal information.

E-mail poses a particularly problematic vulnerability. People use e-mail all day, and in their haste they often fail to think as they open and reply to messages. As a result, they can easily open the wrong kind of attachment or reply with information that can assist a criminal's efforts.

All of these examples highlight the importance of addressing the human factors associated with information risk. Organizations that fail to take these human factors seriously will remain vulnerable to loss--as well as to the regulatory consequences that often accompany such losses--despite their typically significant investments in security technology. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.