The Next Frontier: Cyber & The Case for Compliance Education to Mitigate Risky Behavior

Cybersecurity: The Next Public Health Epidemic-Updated

Cyber What?

That is the response from most as I share my latest MLAW course. Most just look at me and nod, others smile and wave, a la Madagascar Penguins. But what is Cybersecurity? Why is it the next epidemic? Why should you care? Since the data mishaps of late, along with what we have now been privy with in regards to Equifax, everyone should prioritize compliance as a measure of organizational health.

Education the Universal Language of Awareness

Before delving into the latest ransomware attack, the importance of a proper cyber-security protocol must be established and understood within the larger context of cyber-terrorism including the thematic motivations of such. One way to examine cybersecurity is through a public health lens as it relates to violence. Per the CDC, there are 4 basic steps to violence prevention. “Define, & Monitor the Problem, Identify Risk & Protective Factors, Develop & Test Prevention Strategies, & Assure Widespread Adoption.” These same steps can easily be applied to an organization’s cyber health, including the vulnerability to cyber attacks and the culture of compliance.

The first step on the journey to compliance is education and awareness. Comprehensive education on the prevalence, vectors, and risks in addition to coordination of efforts of the best preventative practices creates a foundation where value can then be established and widespread adoption/compliance in turn results.

The cyber world is difficult to conceptualize much less analyze for most people. The abstract nature allows for myths of cybersecurity to spread like the hottest Hollywood gossip. Yet, without appropriate education and compliance assurance, the potential damages to the organization are infinite. This risk could easily ruin any organization, regardless of size as we have seen from the myriad of data breaches. Below is an interactive, infographic on the largest data breaches which can be sorted by sensitivity of information and mechanisms of the breach.

Conceptualizing the power of the cyber realm is difficult. Here is a great video that demonstrates the connectivity and evolution of the Internet and then, compares it to the developing brain. — Video taken from: Tiffany Schlain Let it Ripple Technology.

Assess Current Understanding & Mitigate

It sounds simple enough. Before you begin to educate, you must take the temperature and assess both readiness and current knowledge. The first step in any education program is to conduct an inventory and identify misunderstandings, to map out the a plan of attack to address the knowledge deficits. In education we call it a pretest; in Corporate America, it is called a risk assessment.

Risky Business

One issue in any technology compliance initiative is changing the superstitious beliefs of users. Even well-meaning users may not see their risky behaviors. Misinformation, myths, and irrational beliefs through the heuristics of their random and negative experiences only reinforce the superstitious users’ beliefs circa the theories of B.F. Skinner’s pigeon, where odd rituals were inadvertently reinforced.

Henriquez’, article 10 Habits of Superstitious Users, humorously personifies some key ‘risky users’ who must be remediated. Along the same lines, here is a video that also sheds light on computer literacy, these are behaviors that most people have committed and do not even realize the irrationality thereof; I practiced a few myself, until taking this MLAW Cybersecurity course.

Another light-hearted look which showcases user behaviors is Teaching Computers to Parents-Foil and Hog (1:00)(references the Nigerian Prince and phishing.)

Below are excerpts of Henriquez’, article 10 Habits of Superstitious Users,

For some users, the computer is unfathomable — leading them to make bizarre assumptions about technology and the effect of their own actions.

As a former Kindergarten teacher, I have re-named these risky behaviors as characters in a story book both to highlight the irrational nature and to illustrate some of the key misnomers through humor.

1. The Magical Thinker of Unicorn-Topia:

Sometimes these users have ritualistic tendencies such as holding a series of buttons, or casting a spell of phrases. The danger being that if the user feels the computer is magical, the user then, is more likely to not take precautions. This erodes the element of urgency or legitimacy in cybersecurity.

…the users who have memorized the formula for getting the computer to do what they want but have no clue how it works. As in magic, as long as you get the incantation exactly right, the result “just happens.”

The unforgiving nature of computer commands tends to feed this belief. The user whose long-running struggle to connect to the Web is resolved by, “Oh, here’s your problem, you left out the colon…” is a prime candidate to develop this superstition.

2. The Jack Hammer, Button Slammer

They treat the computer like a recalcitrant child who just isn’t paying attention or doesn’t believe they really mean it.

Users may get the impression that this superstition is justified because the computer, sometimes does seem to be ignoring them

Users forget that the computer is not alive and are highly complicated pieces of machinery. They think that if the computer is running, you should not restart, ever, as this may ‘break’ the computer further. These users tend to be impatient and if you are to click once, then 10 times is also equally acceptable because the computer was ‘not listening.’

Most updates require a system restart, or in the least, require closing a program, but these users do not like to rock the boat, so they behave like an ostrich, and do nothing until the computer becomes non-responsive, perhaps due to restart in, then they go all Woody Woodpecker.

3. Cult-Type Loyal Pop-Up Follower AKA: But it Made Me:

This user fails to recognize that the modern computer is more like television than the Delphic oracle. Even the most credulous people recognize that not everything they see on television is true, but some users think the computer is different.

“There’s something wrong with the company server.”“What makes you think that?” “Because when I try to log in, it says server not found.” …

“Why did you click on that pop-up?” “It said I had a virus and that I had to.”

Clicking without thinking, or clicking just because the computer popped up a box citing same is one of the main mechanisms for phishing scams. Sometimes referred to as click bait, these scams are only becoming more elaborate.

Through phishing and its derivatives such as spear phishing, bad actors have gleaned valuable data while spoofing domains and CEOs. An easy way to fix this is to create something similar to a stop & think before you click campaign a la the Fire Prevention lessons all children are indoctrinated with annually in October, stop, drop, and roll, see Cyber MO. Another tool that offers on the spot remediation for this type of user is infosec.com.

4. The Bipolar Binary

Some users not only personify computers, but further they feel that a machine, which only responds in 1’s and 0’s, is actually attempting to thwart their productivity at every move. This user describes the computer as possessed or moody, and further cites,

“… in all honesty, “The computer hates me,” and will give you a long list of experiences supporting their conclusion,

or the one who refuses to use a computer or printer that had a problem earlier but which you have now fixed. No, no, it failed before and the user is not going to forget it.”

They’re surprised when things they’ve done don’t seem to “stick,” as in “I changed my email address; why does it keep using my old one?”

“Did you change it everywhere?” “… Huh?” or

“My new car always knows where I am, how come I have to tell Google Maps where I live?” or the ever-popular

“You mean when you open up my documents you see something different?”

5. The Worry Wort With Update Avoidance

“Exercising caution when it comes to upgrades is a good idea. But some users go well beyond that, into the realm of the irrational.

It may take only one or two bad experiences. In particular, if an upgrade causes problems that don’t seem to be related to the upgrade itself, this can lead to a superstitious fear of change because it confirms their belief that they have no idea how the computer really works —

and therefore no chance of correctly judging whether an upgrade is worth it or just asking for trouble. Better to stay away from any change at all…”

Users in this camp are fearful they may break the machine through upgrading applications. They also may have been a victim of a phishing scam early on, or know of someone’s cousin, who installed an update and ‘destroyed’ the hard drive. Though, what they fail to understand is that the ‘update’ they installed was not an update, but rather a scam. Here is a critical teachable moment, and further illustrates the mantra, when in doubt, ask IT.

The severity of this issue is highlighted through the Equifax Data Breach. Patch compliance is imperative, and yet the mere word patch, seems to signal an option, a critical misunderstanding to quash. Given that the Equifax breach was caused by non-compliant patch application, it can serve as the case in chief for why this is a fundamental flaw that must be addressed through education as discussed below.

Case in Point: Equal Lessons & Equifax Breach One Year Later

According to a recent article in the Chicago Tribune, a lawsuit filed in Atlanta the corporate headquarters of Equifax consolidates complaints in all states. An important development since state statutes on Personally Identifiable Information (PII) and breach vary. The suit joins both federal and state statutes in one class action, a 323-page filing. The breach impacted 145.5 Million Americans, some 2.5 Million less than previously cited.

The lessons learned from Equifax reverberate since the train wreck of a Congressional Hearing exposing even more negligence than previously thought. While the timeline was fluid, the CEO did not even fathom that PII was a concern, some of the data was not even encrypted, and then, there is the whole John Kelly issue of stock sales in early August after newly discovered early warnings.

Though, the coup d’tat is that pesky patch compilation of a ‘human error’ and a ‘scanning vulnerability.’ The issues that surround, can be seen below in the videos or if you enjoy CSPAN.

Senator Warren’s tenacity is admirable here, where she points out that the breach may actually fuel their business models of both Life Lock and Equifax.

The Equifax Data Breach caused by non-compliant patch application can drive this crucial concept home. Is it too much to hope that the company cannot profit off of this breach?

Though according to the Chicago Tribune, a filing to the Securities and Exchange Commission in early May offered the most detailed picture to date, not only disclosing the customers but the types of data.

Beyond the information that was stored in those databases, Equifax said the hackers accessed thousands of images of official documents — such as government-issued IDs — that consumers had uploaded to the company to prove their identity. Photos of as many as 38,000 driver’s licenses and 12,000 Social Security or taxpayer ID cards were accessed, according to the SEC filing. More than 3,000 passports were also accessed, the company said.

As explored in Cyber MO, any initiative or cultural change needs buy-in through education, once the value is established, compliance will then, in turn, increase because it is a given, a basic expectation in a proactive, risk mitigation culture. In other words: Most employees did not wake up on Friday, after the Wanna Cry and say, “Well, today, our cybersecurity will be tested, so I need to make sure I backed up and encrypted those uber-important files and PII/PMI of clients.”

Most also had not even pondered if the umpteenth security patch released was applied appropriately. And yet, it is this compilation of behaviors and culture that offered an engraved invitation to malware. While it can be one solitary act, it is more likely that the culmination of a lax compliance culture is the portal of entry for cyber crime.

Darker Side: Enter Terrorism & Driving the Value of Preventative Education

Just as there are behaviors attributed to a lack of compliance and rooted in illogical thought patterns, so too are the bad actors or cyber-terrorists motivations to commit the crime. Below is a brief explanation of the types of the cyber terrorists that perpetuate these malware attacks.

Cyber Terror & Motives

Since the Cybersecurity war can only be fought with comprehensive compliance initiatives utilizing both efficacy and sound policy surrounding risk analysis. The above-outlined miseducation gains traction when added with education on the prevalence of terror. According to Margie Britz, renowned, cybersecurity expert and author of Computer Forensics and Cybercrime: An Introduction, terrorists are motivated by a strong desire to invoke fear, chaos, or massive disruption on a population. However, despite the longevity, there are multiple definitions that throughout history, which still have evolved little clarity.

The word terrorist traces back prior to the French Revolution. Yet, there is no all-encompassing definition, rather there are many nuances. As the etymology suggests, terror or fear is inherent to the terrorist’s actions. Besides fear, the state of terrorism is precipitated by an unjustified, random, opportunistic, or symbolic event, which serves as a warning. If the mechanism is coercive, disruptive, or intimidating, it fits the rudimentary definition. The act itself is merely the message. The goal is the intense psychological manipulation and damage, which ensues in the aftermath. There are several basic elements that comprise all acts of terror.

Each act has a Transmitter, Recipient, Target, and Message. The goal and motivation are the distinguishing subtleties. Yet it is important to understand that the message is not the goal, the goal is the impact on the audience that witnesses the carnage, which ensues and the lasting psychological terror and fear cycle. Since the motivation is both willful and malicious, experts categorize terrorism via the motivation that drives the act of terror rather than the act itself. Here are examples of terrorist categorization

  • Individual: (Uni-Bomber) Individually motivated terrorists act alone and have a general dysphoria with society at large. This motivation is characterized by a narcissistic view of the terrorist achieving fame and notoriety or becoming the chosen one to ‘right the wrongs of society.’
  • Nationalistic: (Irish Republican Army) Nationalistically motivated terrorists share the vision of rising against the collectively, oppressed society. These groups have greater longevity.
  • Political-Social: (Animal Farm) Political-Social motivation is evidenced in Animal Farm, which is a satire that depicts the rise of the Soviet Union leadership of the Russian Revolution, which depicts the cycle of power. The political-social terrorist motivation predominantly concerns uprising against those in power.
  • Religious: (Jihad/ISIS) Religiously motivated terrorists are both the most prevalent and dangerous type. Like the Individually motivated terrorist, they also believe they are chosen. However, unlike the former, the religiously motivated terrorist acts to become a martyr. They create their terror in the name of their leader for the collective ‘good’ and as an offering to their deity. One of our classmates added this article to the discussion, which I responded to, and find deplorable, I cannot imagine being one of the 3000, Isis Linked Terrorists Target 3000 New Yorkers in Cyberattack, Thank you @Alfredo Classmate
  • Environmental: (Animal Liberation Front) This group takes protecting nature to an extreme through arson and other methods to disrupt those whom they feel are impeding environmental initiatives.

With so many motivations and compliance behaviors to manage, it is best that a culture of compliance is incentivized to protect all organizations and the precious data that resides. There is nothing more highly coveted in our information age than the data that drives our economy. The next article will examine the red herring of data breach, Bitcoin, versus the true threat, the complacency of compliance.

Resources Consulted:

10 habits of superstitious users. (2017). TechRepublic. Retrieved 30 May 2017, from https://www.techrepublic.com/blog/10-things/10-habits-of-superstitious-users/

BRAIN POWER: From Neurons to Networks. (2017). YouTube. Retrieved 30 May 2017, from https://www.youtube.com/watch?v=zLp-edwiGUU&t=577s&index=1&list=PLQ8Y_k5gEdWGkUjWNyvPMunNjAjs6fzkj

Breach, S., & Senate Banking, H. (2017). Former Equifax CEO Testifies Before Senate Banking Panel. C-SPAN.org. Retrieved 30 May 2018, from https://www.c-span.org/video/?434469-1/equifax-ceo-testifies-senate-banking-panel

Britz, M. Computer Forensics & Cyber Crime 3rd. ed. Retrived 5 May 2017, from https://universalflowuniversity.com/Books/Computer%20Programming/Forensics%20and%20Surveillance/Computer%20Forensics%20and%20Cyber%20Crime_%20An%20Introduction%203rd%20Edition.pdf

Cases in Psychology: Superstition in the Pigeon (B.F. Skinner and Operant Conditioning). (2017). YouTube. Retrieved 30 May 2017, from https://www.youtube.com/watch?v=L-X45QLSjpA&feature=youtu.be&list=PLQ8Y_k5gEdWHx7QQcZE8mEv-weyTTu5xT

Chicago Tribune — 145 million Social Security numbers, 99 million addresses and more: Every type of personal data Equifax lost to hackers, by the numbers. (2018). Chicagotribune.com. Retrieved 30 May 2018, from http://www.chicagotribune.com/business/ct-biz-equifax-hack-data-20180508-story.html

Chicago Tribune — Equifax breach already taking a toll on consumers. (2018). Chicagotribune.com. Retrieved 30 May 2018, from http://www.chicagotribune.com/classified/realestate/ct-re-1126-kenneth-harney-20171120-story.html

Chicago Tribune — Former Equifax executive charged with insider trading before data breach made public. (2018). Chicagotribune.com. Retrieved 30 May 2018, from http://www.chicagotribune.com/business/ct-biz-equifax-insider-trading-data-breach-20180314-story.html

The Public Health Approach to Violence Prevention|Violence Prevention|Injury Center|CDC. (2017). Cdc.gov. Retrieved 30 May 2017, from https://www.cdc.gov/violenceprevention/overview/publichealthapproach.html

McCandless, D. (2017). World’s Biggest Data Breaches & Hacks — Information is Beautiful. Information is Beautiful. Retrieved 30 May 2017, from http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/?utm_source=datafloq&utm_medium=ref&utm_campaign=datafloq

Newman, L., Newman, L., Matsakis, L., Newman, L., Newman, L., & Graff, G. et al. (2018). 6 Fresh Horrors From the Equifax CEO’s Congressional Hearing. WIRED. Retrieved 30 May 2018, from https://www.wired.com/story/equifax-ceo-congress-testimony/

Smile&Wave boys….avi. (2018). YouTube. Retrieved 30 May 2018, from https://www.youtube.com/watch?v=DvYBZRwwGB4&feature=youtu.be

Teaching Computers to Parents — Foil Arms and Hog. (2018). YouTube. Retrieved 30 May 2018, from https://www.youtube.com/watch?v=zFX3Ju6cl-k&feature=youtu.be&list=PLQ8Y_k5gEdWHx7QQcZE8mEv-weyTTu5xT

--

--

--

Cybersecurity & Privacy Policy: Can Blockchain Resolve?

Recommended from Medium

DataLocker Sentry K300 Encrypted Micro SSD REVIEW

What is the NIST Cybersecurity Framework?

Hardening Images on Cloud

Applying security to the Twelve-Factor App

Octopus Network Community Event Recap 11.11.2021

Working in Tech? — Here are the Laws in the Philippines You Should be Aware of.

Loot NFT Launch, BUNs, and LTTs.

TryHackMe | Skynet Write up

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jenny Balliet

Jenny Balliet

Frmr. Dir. of Presentations, Athena.Trade | E Media Group | Educator|ADD/ADHD Coach |M.Ed. |Writer | MLAW |Founder of MinED & Lula & CO|Mom (14yo Gmer./Writer)

More from Medium

Anticipating Future Security Design Patterns

Organizational Cybersecurity Awareness Training ‘as-a-service’

Top Login Tech for Identity and Access Management in 2022 — Revolutionized

Most enterprise companies are not prepared for 5th and 6th generation cyber-attacks; here’s why