Building the Human Firewall: Organization-Wide Strategies to Combat Socially Engineered Attacks
Within recent years, data breaches resulting from phishing attacks have increased substantially and are perhaps one of the most dangerous threats to commercial, governmental, and nonprofit organizations today. As phishing attacks evolve by becoming more customized and sophisticated, these organizations must develop strategies to not only train their members to detect and avoid these attacks on an individual basis but also better coordinate and motivate members to work together to combat these attacks. By building this “human firewall”, individuals are included as part of the solution when managing information technology security, rather than the problem where they are frequently considered the “weakest link”.
The following sections outline a stream of research related to organizational strategies, training interventions, incentives, and phishing susceptibility that contribute to the understanding and development of a human firewall.
Organizational Strategies
A series of interviews with top security officers at large organizations revealed that building a human firewall requires the implementation of bridging and buffering mechanisms through technical, physical, and relational channels to establish collaborations within and outside of the organization. Bridging refers to creating linkages, connections, or integration within these channels, whereas buffering refers to creating barriers, separation, or independence within these channels. Neither bridging nor buffering is inherently safer than the other, and the proper balance and implementation of each is necessary to protect organizations from socially engineered attacks.
Based on these interviews, a 10-step organizational strategy was developed to help organizations mitigate cyberattacks by utilizing their employees in a systematic way:
1. Gain top management support
2. Establish a security department outside of the IT function
3. Build situational awareness through training
4. Develop security super-users
5. Provide organization incentives to motivate bridging and buffering
6. Engage in bridging with other organizations
7. Engage deeply and believe in your people through bridging strategies
8. Change the nature of work to create bridges and buffers
9. Build organizational awareness through bridging of technical capabilities
10. Develop policies and procedures based on industry standards
Training Interventions
Although training individuals on security-related issues is often a challenging task, user security education remains an important line of defense against phishing attacks that should be used in conjunction with technological tools and mechanisms. Our research examines the effectiveness of training that incorporates both situation-specific training, where individuals are taught to apply specific rules or identify cues when evaluating emails, and mindfulness training, where individuals are taught to critically analyze and allot sufficient effort to processing their emails. Our research findings indicate the effectiveness of providing individuals with general video training about phishing, which resulted in a 44% reduction in the likelihood of clicking on links embedded in phishing emails. This effectiveness of training, however, is even greater when it is used in conjunction with leaderboards that incentivize individuals to identify and report phishing emails, resulting in a 64% reduction in the likelihood of clicking on links embedded in phishing emails.
Incentivizing Detection
Individuals who are left alone to make their own decisions may be most vulnerable to phishing attacks because of the lack of feedback or guidance they receive from others. Instead, creating environments in which individuals collectively work together can lead to quicker identification of phishing emails and dissemination of information. Utilizing concepts related to crowdsourcing, knowledge management systems, and gamification, our research examines the
effectiveness of leaderboards on influencing individuals’ ability to identify and motivation to report phishing messages to a centralized system, where they receive real-time information and feedback to aid in their decision making. Our findings indicate how providing incentives through reward/punishment points or public acknowledgement, as well as facilitating a collaborative versus competitive environment, influence individuals’ accuracy in identifying phishing emails, motivation to report phishing emails, likelihood on clicking on phishing links, and productivity in accomplishing on-going tasks.
Phishing Susceptibility
Phishers utilize various social engineering tactics to make their messages more convincing and ultimately persuade individuals to willingly provide their confidential information. Specifically, our findings indicate that individuals were more vulnerable to influence techniques that offered higher self-determination and less vulnerable to techniques requiring repeated interaction or fictitious shared experiences.
Our findings also indicate that some experiential and behavioral factors not only increase users’ susceptibility for complying with phishers’ requests for personal information but also increase their ability to detect phishing emails. Individuals who have low confidence in their ability to work with computers, little experience navigating the Internet, little knowledge of appropriate security policies, and/or less suspicion in others were most vulnerable to being deceived by phishing emails.
When receiving and interpreting potential phishing emails, individuals also engage in a three-stage process used for deception detection:
1. Appearance of emails – users attend to cues related to the legitimacy, content, and request of the emails
2. Activation of suspicion – suspicion in users is triggered by inconsistencies in the context in which the message is received, as well as by their personality traits and technical experience and awareness
3. Confirmation of suspicion – users confirm their suspicion by seeking confirmation from a third-party or individually investigating and gathering information
