The human factor in cybersecurity has increasingly become a topic of major concern throughout all economic sectors. SOTER is conducting interdisciplinary research and development to support efforts to strengthen the social vulnerability layer in the finance sector. In October 2021, SOTER organised a series of activities with stakeholders of the European finance sector to gather feedback on the SOTER solutions and discuss the interim outcomes of the project. Workshop activities in Ireland and Austria have led to an online panel discussion involving bank and fintech perspectives as part of the European Cybersecurity Month.
On 14 October 2021, SOTER conducted a workshop in Waterford (Ireland) and discussed the outcomes of social research conducted in the European Finance sector with cybersecurity experts and stakeholders.
One of the key discussion points focused on the fact that cybersecurity measures should not only try to protect the organisational integrity, but also the integrity of all individuals involved. Human factor-based threats remain a constant vulnerability in the sector and cybersecurity culture has to be understood as a top-down requirement, which needs the active engagement of ‘C-level’ management. The discussions emphasised the importance of ensuring cybersecurity is prioritised above all other tasks. The stakeholders also perceived the use of social research methods as an interesting analysis route, as it provides additional insight into the adoption of information security policies and procedures within organisations. Additionally, awareness is not just important for employees within a finance sector organisation, but needs to be supported also within the general public.
Employee trust (or lack thereof) was not viewed as a deterrent to good operational cybersecurity, as stakeholders felt that employees were aware of their professional responsibility and, on the whole, accepted the mandate of the company to ensure that proper cybersecurity procedures were followed – whether through monitoring, logs, or workplace surveillance techniques. The stakeholders also discussed how peer reputation management systems might foster collaborative cybersecurity culture and provide feedback mechanisms, by affording avenues for employees to feedback to management on good cybersecurity practices, behaviours, and actions, as well as a way for employees to report suspicious or negligent behaviour in the workplace.
In Austria, talks with ‘C-level’ stakeholders in the bank and fintech domain focussed on training and awareness aspects.
Training is often delivered by external training service providers and often focuses on annual basic security training for all employees (but not all employees need the same training). CISOs also try to organise trainings on special topics and discussion workshops, so employees can reflect upon their experiences with information security and related incidents. Documentation of these trainings is important, and the use of competence catalogues may be a good solution for improving the effectiveness and detail of the documentation. However, the source of a competence catalogue must be a trusted authority.
In the domain of risk assessment there is a need to engage with specialised experts to identify the range of relevant risks for an organisation. One approach mentioned here was also to engage with a wide range of employees from different departments to identify and discuss theoretical scenarios in which the organisations’ assets might be harmed. The inclusion of an ethical vulnerability layer to the cybersecurity focus was also well received, because reputational damages are perceived as one of the biggest risks in the sector (also considering that these damages cannot be insured so easily). Additionally, pen-testing and red teaming exercises with external experts are seen as an important avenue for testing and maintaining organisational security.
Looking at cybersecurity governance, a culture of trust between management and employees is an important factor. On the one hand, this involves the matter of management practices respecting the fundamental rights of employees, and on the other hand, the establishment of a shared common responsibility to keep up the cybersecurity competence levels within the organisation. Employees must also feel responsible for the digital assets of the organisation, while management and information security need to communicate clearly that human errors may and will occur and cause incidents, but that the organisations’ priority is not scapegoating, but rather making sure these incidents are reported as quickly and as thoroughly as possible.
In the cybersecurity month online workshop, these topics were discussed, and the outcomes of the panel discussion can be summarised along the following aspects:
- Trust is important, but you should also tell employees and colleagues what to look out for (awareness!). Management needs to understand to be aware as well. Training as envisioned by SOTER needs to happen on all organisational levels (management, regular employees, etc.).
- Regarding (general) awareness, we should start in school/in the education system. Digital education should teach a basic level of cybersecurity.
- The ‘C-level’ management must also be aware (see ISO 27001, management commitment provision). This includes training on new threat types, current threat landscapes and how the company is reacting.
- In larger companies, face-to-face training does not work considering the amount of people (employees), as those training settings usually work for a maximum of about 10 people.
- Training needs can be assessed by sending of test-phishing e-mails (to test how many employees fail to recognise the phishing e-mail).
- The communicativeness of employees (e.g., on social media) poses a problem. It’s important to go beyond trainings, not only on the company level, but also on the societal level. Personal information management means to be mindful of what and how you share or post.
- The human factor is the biggest risk. You cannot prevent human error with technical measures. You must be able to “stick in the minds” of employees, which goes beyond attending one training per year.
- For smaller companies it’s harder to stay on top of cybersecurity awareness and training (there is often a need to source training from external providers).
- Time pressure in business processes poses a threat to effective cybersecurity processes (e.g., time pressure is also used in social engineering-based attacks like CEO fraud). State of the art should be a process requiring 4 eyes (2 individuals).
- Finance sector organisations face the challenge of keeping cybersecurity expertise in a company (e.g., personnel fluctuation or even difficulty to hire professionals)
- While ISO 27001 is perceived as an essential starting point for communicating high security standards, transparency may trump certificates and labels. But there is also a discussion that there could be more detailed and better standards than ISO 27001 (e.g., standards detailed by the German BSI).
- Anomaly recognition is crucial: everyone in a company needs to be aware of what could potentially happen, what the risks are, what assets are at stake etc.
The event concluded with a short presentation on SOTER’s interdisciplinary approach to human factor risk assessment. The image below shows the three main areas of concern (human error, malicious insiders, legal & ethical threats) and the relevant typical threats as well as the main mitigation avenues.
Authors: Martin Griesbacher (RISE), Paul Rabel (University of Graz), Robin Renwick (Trilateral Research)