Finding The Hidden InfoSec Story

People Hacking & Playtime

Some people are lucky enough to live somewhere quiet, maybe in a village, or at the end of a suburban cul-de-sac.  If so, their children may have the kind of freedom I enjoyed;

Riding bikes in the street, turning up unannounced and unaccompanied at this house or that, climbing trees, swinging on swings, building dens, making bows and arrows, playing conkers, acting out adventures as witches, wild things, policemen or princesses.  Just coming home to have knees plastered, to get fed, or to avoid getting grounded after being called for the 5th and final time.

Sounds Idyllic doesn’t it.  I’m sure most of you are reminiscing about a similar childhood.

I’m also willing to bet you are feeling sad and/or guilty that you can’t offer your kids the same chance to roam.

Can’t, or won’t? (Have my hands over my ears waiting for the outcry).

All Mums and Dads will have had conversations including phrases like this;

“It’s not like it was when we were young”

“There’s just more traffic about these days”

“I couldn’t live with myself if….”

“Did you see the news about that child walking home who…”

But, how do you unpick the real risk, the risk for your child, on your streets?

What physical dangers are out there in your neighbourhood? What type of neighbours do you have? How many strangers are about? How many of those strangers might be malicious and able to cause harm? How many cars go past more or less fast and furiously? What’s happening outside your control that can change the normal level of risk (a concert at the local park, road-works or exceptional weather conditions)?

In other words, how do you do a rational Threat and Risk Assessment (TRA)?

The answer? It’s a largely subjective and imperfect process. You could overlay what’s knowable with some kind of safety “score”, but most of your assessment relies on your relationship with your child, your local knowledge and the quality of supporting input from other folk who know the area.

This isn’t a million miles away from assessing risks associated with social media usage on corporate kit, deciding whether to let users bring their own devices, or your more general insider threat.

There are technical controls you can put in place to keep a lid some problems (enforced endpoint policies, attack detection tools and gateway controls). You might also have a superb handle on your existing network vulnerabilities and top notch insight into the true scale of external threats, BUT well-engineered technical & procedural controls are not the main part of the picture.

Bike helmets, warnings about strangers, weather forecasts and traffic lights don’t guarantee your kid’s safety.  It’s about how they choose to behave. Whether they use provided tools and knowledge to stay safe and whether your influence trumps temptation and social pressure when there’s a choice to be made.

Of course your users are NOT children.  They are an incredibly diverse bunch of skilled individuals with variable perceptions of security risks, controls and what constitutes acceptable behaviour, but very similar principles apply.

With your kids you have an obvious advantage. Best represented by how cowed they look when you whip out the big “I’m very disappointed in you” gun.  You can’t and don’t want to hold that kind of sway over employees, but most businesses haven’t even started to work out how to persuade staff to act in their best and most secure interests.  They just mandate computer based training and put up posters, largely ignoring things that can motivate potentially damaging behaviour.

To steal from Jenny Radcliffe* (a top UK expert on social engineering and associated psychology), there are four key things that make people vulnerable to negative influence;

  1. Fear – A powerful motivator to break rules. It might be a malicious outsider playing on their fears to acquire credentials, find out about security controls, or get hold of confidential data. On the other hand it might be someone in authority within the business wanting something done NOW.  Persuading a user to upload a confidential document to Dropbox or mail it to their Hotmail account, just to get the work done.
  2. Flattery – Who hasn’t broken the odd rule to get on? Conversations on-line or in person veer into dangerous territory as someone is groomed with compliments. Persuading them they are too important to let rules hobble their pursuit of a seductive goal.
  3. Greed – The carrots of acceptance, recognition or financial reward. Very few are immune.
  4. Time – A cunning way to get rules broken is to put someone under intense time pressure via email, phone or in person. Telling them about a credible hyper-urgent requirement and leaving them no time to properly consider implications or crystalize any lurking doubts.

But that’s not the end of your people vulnerability story. Other factors can be shaped into an equation something like this (not an attempt to be pompously pseudo-scientific, just shorthand for a lot of information):

(F+Fl+G+T) x (Y/C + D + I) = PHR

  • Y/C is the Gen Y attitude to social interaction and data disclosure divided by your Corporate requirements.
  • D is Dissatisfaction. This is the biggest problem you face and multiplies all other motivators to behave inappropriately. It makes active social media users ever more likely to leverage e-mechanisms to either accidentally or intentionally share something damaging to the company and/or useful to cyber criminals.
  • I is Ignorance – Management ignorance about insider threats and how to deal with them and staff ignorance about the ways they are vulnerable and how their vulnerabilities can be exploited.
  • Multiplied by staff susceptibility to Fear, Flattery, Greed and Time pressure this adds up to your People Hacking Risk.

In this the childhood analogy very much applies.  Children learn medium and long term implications of their actions in small increments, through experience.  Children, when angry or upset, are incredibly vulnerable to manipulation, because their ability to control their emotions, to pause and think things through, matures as they do.

Your users already have those life skills to deal with flesh and blood interactions, but the world of social media replaces a layer of detachment from consequences and few are aware of all the varied ways criminals can exploit apparently innocuous data and commonplace online behaviours (e.g. embedding malicious code in attractive images, or redirecting to spoofed sites via popular and valid looking links).

Everyone knows a sensational post, tweet or email can spread virally in minutes and criminals globally take note.  Either that, or a determined attacker will seek out people who are showing signs of anger or upset (there are even data analytics tools that can help do that on a large scale), before grooming them to share the information they need to cause you some real damage.

So what do you do about it?

No-one can prevent all accidents and mistakes. As Jenny so rightly and bluntly says;

“There’s no patch for stupidity

Don’t bristle. I, like most people, have done some truly daft things in my time.  Occasionally they led to quite significant fallout. In most cases my mistakes were quite creative and relatively dumb technical controls were about as much use as a chocolate fireguard in predicting how I’d mess up and stopping the immediate fallout.

So you can’t stop things going wrong, but you can reduce the likelihood of big screw ups (even the ‘what have I got to lose’ disasters, when a dangerously upset staff member decides vent their spleen, either very publicly, or to just the wrong person).

Here’s another equation for you.  Just my own take on various well known people and risk management principles;

(K+R+T+I+In) – (TA+OA/L) = MPH

  • Knowledge – Realistically assessing your people hacking risk and staff knowledge gap. Arming users to spot potential problems and understand the implications of device and internet usage, both for them and the company. The vast majority of your normally loyal staff, folk who are a million miles from stupid, can be quickly educated to spot manipulation and recognise the symptoms of an on-line, or person to person scam (I estimate about 80% of my impactful mistakes wouldn’t have happened if I had received more training). However, that training won’t sink in (or be remembered when needed) if it’s not engaging, interactive, relevant to their experience with technology and/or creatively tied back to other things they care about.
  • Recognition – Living the “we value every employee” message in ways that mean something to individuals, be that investment in training, development, a well-deserved bonus or a simple ‘thank you’ for work well done.
  • Trust – Something that can bleed away very quickly if times are lean and deadlines are tight. Great businesses enable staff to get jobs done, really listen when they challenge existing plans or processes, then trust them to get on with it.
  • Involvement – People need to know that their contribution counts, that they are making some kind of difference. That sense of being part of something bigger and resulting shared interest in good outcomes is vital.  It’s hard for employees to truly understand how they contribute to high level corporate objectives. That involvement needs to devolve down to teams, with visible understandable links between company goals and day jobs.
  • Integrity – This is the one you can’t control. If you have recruited well, you should not have any criminals on your staff.  Beyond that, just like with your kids, you trust in the relationship you have built to encourage them to use shared values and knowledge.
  • Targeted Attacks plus Opportunistic Attacks divided by Likelihood – It is the targeted attacks which really put the onus on your people to close the door on criminals, because they are the hardest to detect and stop using technical controls. However, almost all attempted exploits, random or otherwise, need a person to help them succeed. Most people don’t analyse incident root causes well enough to provide robust statistics, but professionals I’ve talked to find it hard to argue with this;

99% of successful breaches would not be possible without an individual with inside knowledge providing some kind of access, information and/or co-operation to criminals.

When it comes to the Likelihood of attacks, market threat intelligence will help, but you need to put that in the context of your business. How attractive are you to cyber terrorists, activists, fraudsters and data thieves. How bad is the security knowledge gap and how dissatisfied are staff?

These are your tools to Mitigate People Hacking and the things influencing their effectiveness

I’d bet my house that you don’t invest as much time and commitment in assessing your insider threats and delivering security training, as you do in educating your children about dangers and ways to avoid them. Why would you?  But, depending on the value you place on data and system security, are you treating it seriously enough?

As a parent you are hard wired to worry you did a good job raising your kids, but educated to know you must allow them ever increasing independence, to lay the groundwork for any kind of long-term relationship. You just have to have trust in the respect you share and hope they listened to advice about road safety, stranger danger and where they can and can’t go.

In the same way you have to have faith in your staff. Let them bring their virtual personal life into work and take their professional persona into the social media-verse. If you chicken out on doing that, they may be hard to retain.

It is your job to understand that dynamic, equip your users with the right knowledge to make good choices and damp down your pre-social media generational fear of the digital unknown.

If you handle this well, you can benefit from a mutual interest in a good, secure and profitable outcome and begin to leverage the fantastic reach of their creative virtual communities.

*If you want to know more about Jenny Radcliffe and her insights into Social Engineering and People Hacking, her business partner ( can put you in touch and point you to online training and other resources.

Author: Sarah Clarke

Share This Post On