Navigating the Human Factor in InfoSec: A Holistic Approach to GRC and Risk Management

If you think technology can solve your security problems, then you don’t understand the problems, and you don’t understand the technology.

This saying has been the mantra of the InfoSec community for decades, and as risk management, governance and compliance become ever more complex, the “Human Factor” remains a critical and often underestimated part of the puzzle.

You probably only have to look at your own organisation to realise that the nuances of access rights, compliance concerns, and the inherent sensitivity of employees about where they fit in the new digital ecosystem, can result in an internal control system where people can be both the weakest, and the strongest link.

In this article we’ll explore the “4P’s of Risk Management” and address the challenges posed by the human element. We’ll talk about the role of Governance, Risk, and Compliance (GRC) in enhancing security, and reveal how you can sustainably reduce risk by taking these “Human Factors” into consideration.

The 4P’s of Risk Management

Risk management encompasses People, Places, Processes, and Predictive measures. While technology and processes play a pivotal role, it is the human element that often becomes the weakest link in the security chain. Employees’ fear of being denied access to information or feeling excluded due to disparate access rights can introduce vulnerabilities. So, a comprehensive and effective approach to risk management must acknowledge and address the intricacies of human behaviour in the workplace.

The Accidental Insider

There is much research to suggest that people contribute significantly to security breaches and fraud within organisations.

A 2022 study by Stanford University Professor Jeff Hancock and security firm Tessian reveals that a hefty 88% of data breach incidents are caused by employee mistakes. And the 2023 IBM Cyber Security Intelligence Index  puts that number even higher, at a staggering 95%.

These statistics underscore the need for organisations to understand the human risk factors in their cyber security systems, so that they can take action to mitigate these risks with additional training, oversight, or intervention with the aid of GRC tools and software.

So, let’s look at some of the key vulnerabilities.

Social Engineering: Hacking Human Emotions

At the core of social engineering fraud lies the manipulation of individuals into divulging confidential information. Unlike traditional hacking methods where digital systems are targeted and ‘broken into’ by force, social engineering fraud exploits human emotions – trust, fear, greed, and the need for urgent action. The impact remains significant with about 6 in 10 breaches across Europe, Middle East, and Africa beginning with social engineering scams.

The common types of social engineering scams to look out for are:

• Impersonation: Pretending to be someone else, usually trusted, to fool and exploit victims through various channels.
• Phishing: Sending fake emails or messages to get sensitive information or make victims click on harmful links.
• Spear phishing: Phishing specific individuals or organisations with personalised and researched messages.
• Baiting: Offering something attractive, like a free download, to covertly gain personal information or system access.
• Spoofing: Changing information or data to hide the real source and make the communication seem legitimate.

Advancements in AI technology adds another, more sophisticated layer to the trouble-cake, as scammers can now create highly realistic voice, and even video clones. All they would need to convincingly mimic your CFO in a Teams call, would be a few minutes of video from a recent keynote address. For further reading on that topic, this article details some of the ways scammers are using AI, and the psychological manipulation methods that get them results. These include:

• Trust and authority exploitation – scammers impersonate trusted contacts or persons of authority to coerce victims into compliance.
• Urgency and fear tactics – victims get sucked into a fake scenario that evokes strong emotions – such as potential financial loss or being in trouble with the law.
• Psychological manipulation through NLP – Natural Language Programming and freely available generative AI tools allow scammers to compose tailored messages that are highly persuasive ‘by design’.

Access Denied, Or Not

Access rights are another touchpoint to be aware of in risk management. These are the permissions or privileges that users have in order to access, modify, or delete information and resources on a system or network. They are essential for ensuring the confidentiality, integrity, and availability of information and its underlying infrastructure.

However, access rights also pose a significant risk of human error, negligence, or malicious intent that can compromise the security of information and systems. Some of the common human factors that can lead to access rights violations are:

• Lack of awareness or training: Users may not be aware of the security policies and procedures that govern their access rights, or they may not receive adequate training on how to use them properly and securely. This can result in unintentional mistakes, such as using weak passwords, sharing credentials, clicking on phishing links, or downloading malicious attachments.
• Lack of compliance or enforcement: Users may not follow the security policies and procedures that regulate their access rights, or they may not face any consequences for violating them. This can result in intentional or unintentional misuse, such as accessing unauthorised or sensitive information, modifying, or deleting data, or granting access to others without authorisation.

Lack of monitoring or auditing: Users may not be monitored or audited for their access rights activities, or they may not be held accountable for their actions. This can result in undetected or unreported breaches, such as data leaks, theft, or sabotage, or insider attacks, such as espionage, fraud, or sabotage.

These factors can be addressed by implementing a combination of technical, organisational, and educational measures that can prevent, detect, and respond to access rights violations, as well as protect the human rights of users and others affected by cyber security incidents.

Compliance by Complicity

Compliance by complicity is an element of risk that can be hard to spot, as it describes the act of outsourcing critical tasks with sensitive information to third-parties, who may not have the same level of accountability, transparency or ethical standards as your organisation. The use of public AI tools, like ChatGPT, add weight to this area of risk as workers have been found to input sensitive text on the platforms, which then become part of the Large Language Model’s available training data. Samsung is the latest in a long line of international corporations now banning staff from using these tools at work.

The Problem of Fraud

Of course, humans don’t only do bad things by accident. When designing a holistic GRC approach, the risk of fraud must be considered. Combatting the environmental factors that have been shown to increase a persons’ likelihood to commit fraud is a good place to start. Some of these are:

• When they believe they will not be caught or punished
• When they are under pressure to meet performance targets or deadlines
• When they have access to sensitive or confidential information or assets
• When they perceive a lack of fairness or transparency in the organisation
• When they are influenced by peers or external parties who are involved in fraud

The ‘people problem’ in this context is not limited to a certain sub-set of workers within the company hierarchy. According to the Association of Certified Fraud Examiners (ACFE), management constitutes the largest portion of employees who commit fraud, accounting for 39% of cases with a median loss of $125,000. Employees, on the other hand, commit 37% of fraud, leading to a median loss of $50,000.

The 2020 Global Fraud Study by the Association of Certified Fraud Examiners (ACFE) found that a typical organisation loses 5% of its annual revenue to fraud, which translates to potential global loses of almost $3-trillion. However, this figure may not reflect the impact of the COVID-19 pandemic and the resulting emerging fraud trends.

Post-Pandemic Risk

The future projections of employee fraud are not very optimistic, as fraudsters are expected to exploit the economic and social challenges caused by the COVID-19 pandemic and the resulting changes in consumer and business behaviour. Some of the emerging fraud trends to be aware of in 2024 are:

• Fake texts from the boss: Fraudsters will impersonate employers or managers and send text messages to employees, asking them to buy gift cards or make payments on their behalf.
• Frankenstein shoppers and social media shopping fraud: Fraudsters will use synthetic identities or stolen credentials to create fake online shopper profiles and make fraudulent purchases on e-commerce platforms or social media sites.
• Authorized push payment (APP) scams: Fraudsters will use various social engineering techniques, such as phishing, vishing, or spoofing, to trick victims into sending money or personal information to fraudulent accounts or platforms.

Building a Robust Framework for Governance Risk and Compliance

But we can’t place all the responsibility for cyber security failure on the shoulders of the people using the technology. Yes, people should be made aware of the risks and given extra training to help them avoid trouble. But you can’t expect all your workers to be cyber security experts, in much the same as you don’t need a pilot’s license to travel by air.

Renowned security expert Bruce Schneider has said “A lot of user education covers for bad security design.”

A paper on ResearchGate emphasises the critical role of human factors in information security systems and proposes a framework to understand and address the “people problem” in the context of security. Despite advanced technological solutions, the authors argue that human factors remain the Achilles heel of information security. They advocate for a collaborative approach with companies or organisations to collect case studies, providing valuable insights into the dynamics of human behaviour and its impact on security.

GRC and Its Role in Security

Governance, Risk, and Compliance (GRC) play a pivotal role in fortifying information security against human-related risks. GRC encompasses a strategic framework that integrates governance, risk management, and compliance activities. This holistic approach ensures that organisations not only comply with regulations but also align their strategies with overall business objectives. GRC acts as a guide in establishing internal control systems that mitigate risks associated with the human factor.

The intersection of Information Technology (IT) and GRC gives rise to IT GRC, which involves managing IT-related risks within the broader GRC framework. IT GRC ensures that technology aligns with business objectives, complies with regulations, and effectively manages risks associated with human factors in information security. By integrating IT into GRC, organisations can achieve a seamless alignment of technology, governance, and risk management.

GRC Tools and Software: Enabling Comprehensive Security

To effectively manage the human element in information security, organisations can leverage GRC tools and software. These tools automate and streamline GRC processes, providing a centralised platform for monitoring, assessing, and responding to risks. GRC tools include features that allow organisations to track compliance, assess vulnerabilities, and manage incidents related to the human factor. Implementing GRC tools and software is crucial for maintaining proactive security measures in the face of evolving threats.

Key Takeaways and Future Perspectives

• The Human Factor is a fundamental aspect of information security, influencing access rights, compliance, and risk management.
• Employee mistakes and social engineering fraud are significant contributors to data breaches, emphasising the need for robust training and monitoring programs.
• A holistic approach to risk management should include a focus on understanding and addressing human factors.
• GRC, including GRC security and cyber security, plays a crucial role in fortifying information security against human-related risks.
• IT GRC integrates information technology into the broader GRC framework, ensuring seamless alignment of technology, governance, and risk management.
• GRC tools and software enable organisations to comprehensively manage the human element in information security.

It’s fair to say that navigating the intricacies of cyber security is not about to start getting easier. It’s therefore crucial to recognise the pivotal role played by the “Human Factor.” By acknowledging, understanding, and addressing the complexities of human behaviour, organisations can build robust frameworks that enhance security, reduce risks, and foster a culture of awareness and responsibility. After all, in the ever-evolving landscape of digital business, humans remain both the weakest, and the strongest link.

Do you know how the internal control system is implemented in your company and which factors are central to this?
Talk to us about it: We are long-standing, tried-and-tested experts not only for conceptualisation, but also for implementation.

I look forward to hearing from you

Priska Altorfer, Managing Partner wikima4 AG