Security Awareness Blog

The Top Seven Human Risks - Initial Findings

Some of you may be familiar with the Critical Security Controls, a consortium of the security community working to identify the top risks to organizations and the controls that mitigate them. One of the top controls (CC #9) identifies the human element. The challenge is this control simply identifies awareness as important, not which human risks should it be addressing. As such a sub-set of this consortium came together to help identify the top human risks, including CMU, Mandiant, Virginia Tech and MITRE. Our findings are very preliminary and we are looking for more data, however I wanted to share with you what we have learned so far. I will be discussing these top human risks in my presentation at RSA next Wednesday at 1:00pm.

These are the top human risks we found most organizations shared. Not all risks apply to all organizations. Also, these are NOT listed in any type of priority. Note my own personal comments for each risk.

  • Lack of Situational Awareness: One of the top risks is people simply not realizing they are a target, and thus not engaged in any security program or not changing behaviors as a result. For more high-profile targets there is also the issue of making people aware of APT. Another common misconception is that since organizations have security teams and security technology in place, employees do not have to engage in secure behaviors as technology will prevent all attacks.
  • Phishability: No surprise here, just about every organization involved identified phishing as one of the top human risks. Keep in mind phishing does not apply to just email but also messaging (Skype, Facebook messenger, etc).
  • Password Reuse: BIG surprise here. I assumed passwords would hit the list, but because passwords were not complex enough. Not the case, the problem is not just complexity but people are re-using passwords for multiple accounts, including crossing both work and personal. Once the bad guys have one of your passwords, they have free reign within the organization. Also, we are starting to see that complexity is not so important as password length, think focus on passphrases.
  • Using Unpatched / Poorly Configured Devices (BYOD): Systems and devices not secured or patched. You would be surprised at how many people do not realize that to keep your systems secure you must keep it updated. While not just a BYOD problem, this problem is amplified as more BYOD is introduced into organizations.
  • Indiscriminate Use of Mobile Media: This is especially true for organizations that depend on physical air gaps to protect them. Can we say Energy/Utility/ICS space anyone?
  • Data Leakage via Social Networking: The issue here was not so much sensitive information about organizations being leaked (though it does happen) but people NOT realizing that all the tid-bits of personal data they release are used to create complete pictures about them and used by advanced threats.
  • Accidental Disclosure / Loss: People losing laptops, having mobile devices stolen, or accidentally emailing the wrong person with sensitive data (auto-complete in email anyone). We often forget that fact that many incidents are not caused by malicious intent, but by good old fashion mistakes.



Posted February 21, 2013 at 5:10 PM | Permalink | Reply


One of the top risks is people simply not realizing they are not a target"
Should that read "realizing that they are a target"?

Posted February 21, 2013 at 5:14 PM | Permalink | Reply


Uggh! Great catch Neil! Beer/coffee on me if you are at RSA next week.

Posted February 21, 2013 at 5:22 PM | Permalink | Reply


By all means relay that to any of my colleagues that are attending :] heyyyy jealousy

Posted March 5, 2013 at 4:25 PM | Permalink | Reply

Mike Angelinovich

Several of your listed concerns can be addressed by removing the humman element from the login total process via an automatic dynamic software token credential. A Smart card or a USB token would also work but they are cumbersome and expensive.

Posted November 6, 2013 at 7:43 PM | Permalink | Reply

Biscuit Eater

The password aspect is the biggest problem for me. At last count, I have over 500 (seriously) unique logins and passwords. I simply cannot remember that many passwords ''" nor passphrases. Plus, some sites want me to change pw every 30-60 days, adding even more difficulty. Thus, I have an encrypted password file to track and store all of them.
I will be overjoyed when biometric usage becomes so widespread for devices, that I can begin to decommission my password file.

Posted November 6, 2013 at 7:51 PM | Permalink | Reply


I could not agree more about the problem of having so many passwords. This is why I (and many others) have migrated to password managers. We recently did a OUCH article on this very topic, check out the OCT edition of OUCH ''"