Employee Habits, Errors, and Security Breaches

Loading...

En provenance du cours de University System of Georgia

Cybersecurity and the X-Factor

73 notes

University System of Georgia

Cybersecurity and the X-Factor

73 notes

Cours 3 sur 4 dans Specialization Cybersecurity: Developing a Program for Your Business

What is the X-Factor? In Cybersecurity, the X-Factor related to unknown and unpredictable human behavior within and outside of your organization. “No one really knows why humans do what they do”, (David K. Reynolds), and because of this organizations can be unprepared for malicious, untrained, or even best intentioned behavior that can cause alarm and sometimes irreparable harm. This course will introduce you to the types of training available to reduce the impact of the X-Factor, evaluate its effectiveness, explore the Security Education, Training and Awareness (SETA) program, and learn why it may fail. The course will conclude with information designed to assist you with some critical components for your business security program. Activities focused on hactivism, cyberinsurance, and ransomware will round out your knowledge base. Your team of instructors has prepared a series of readings, discussions, guest lectures, and quizzes to engage you in this exciting topic.

À partir de la leçon

Reasons Why Traditional Training Efforts Fail

In this module you will understand why traditional training efforts through SETA programs may fail. You will learn about human behavior and how understanding it can help managers better leverage their security efforts. Finally, through the readings you will also see that this is a global issue. The readings present examples of existing awareness campaigns in U.K., in Australia, in Canada and Africa.

Overview: Habits and Vulnerabilities2:41

Employee Habits, Errors, and Security Breaches4:01

Habituation: What is it?5:31

Pulling it together3:06

Rencontrer les enseignants

Dr. Humayun Zafar
Associate Professor of Information Security and Assurance
Information Systems
Dr. Traci Carte
Associate Professor Chair, Information Systems
Information Systems
Herbert J. Mattord, Ph.D., CISM, CISSP, CDP
Associate Professor in Information Security and Assurance
Information Systems
Mr. Andy Green
Lecturer of Information Security and Assurance
Kennesaw State University - Department of Information Systems
Michael Whitman, Ph.D., CISM, CISSP
Professor of Information Security
Information Systems

[MUSIC]

Since employees interact with IT systems on a regular basis in their organizational

activities, how they use those systems and whether they follow established measures

will ultimately determine the overall security posture of an organization.

Habit-based research mostly focuses on continuing IT use as an act

that is driven by conscious or non-habitual decision making.

However, it also draws from fields such as psychology

to posit that much of continuing IT use is habitual.

The argument is that when IT use is habitual,

it ceases to be guided by an individual's intentions.

Habitual IT use behavior at times has been defined as repeated behavioral

sequences that are automatically triggered by cues in the environment and

is considered to be a critical predictor of technology use.

Limayem and Cheung in 2008 used a moderation perspective and

illustrated that the predictive power of intention weakened

with the continued habitual behavior by individuals.

Venkatesh, Thong, and

Xu in 2012 integrated habit into the unified theory of acceptance and

use of technology, otherwise known as UTAUT, to compliment the theory's

focus on intentionality as the overarching mechanism and key driver of behavior.

They modeled habit as having both a direct effect on use and

an indirect effect through behavioral intention.

Research has also played to the role habit plays when warnings are ignored by users

and acknowledgment of notifications becomes routine.

For example, users click through half of all Security Sockets Layers, or

SSL warnings, in less than two seconds, which is consistent with warning fatigue.

Further, with more instances of receipt,

employees' brains stop registering the novelty of security notifications

due to the routine nature of clicking on similarly presented notifications.

The concept of fatigue has also been investigated in clinical settings whereby

corroborating its relevance.

Studies have used various proxies for habit.

For example, Kim and Malhotra in 2005 equated past use to habit.

So you may wonder, is all this research necessary?

Absolutely.

The reason is simple.

Inadvertent errors due to habitual behavior result in security breaches.

What makes it troubling is that more often than not,

it is not immediately ascertained that a security breach has even occurred.

In April of 2015, a departing Federal Deposit Insurance Corporation employee was

transferring files from an office computer onto a personal storage device and

inadvertently copied sensitive customer data from more than 44,000 individuals.

The employee left the FDIC in February of 2016, but

the agency only realized the data was taken almost a week later.

Despite the established risk, CompTIA has found that human errors rank as

a serious concern for only less than one-third of organizations.

Experts say the lack of focus on risk caused by people

is because the human factor is the most difficult to solve.

Whereas most other security threats can be addressed with investments in security

technology, this approach doesn't work for internal human error.

Adding security barriers only lowers compliance and increases work arounds.

[MUSIC]

Explorer notre catalogue

Rejoignez-nous gratuitement et obtenez des recommendations, des mises à jour et des offres personnalisées.

Coursera propose un accès universel à la meilleure formation au monde, en partenariat avec des universités et des organisations du plus haut niveau, pour proposer des cours en ligne.

© 2018 Coursera Inc. Tous droits réservés.

Télécharger dans l'App Store

Disponible sur Google Play