Living Security’s third annual Human Risk Management Conference took place on June 20^th bringing together over two dozen experts in various disciplines of cybersecurity to provide insight on strategy to combat the most common risk vectors that are challenging organizations today.

Guests included Brian Krebs, cybercrime investigative journalist; Jessica Burn, principal analyst at research advisory Forrester; and David Kennedy, cybersecurity veteran and founder and CEO of Trusted Sec.

Living Security Founder and CEO Ashley Rose highlighted a crucial point: While organizations spend $200 billion each year on cybersecurity, only 2% is focused on human-centered risk, a significant factor in 68% of security breaches.

What is meant by human-centered risk, exactly? Risks that are directly related to how individuals interact with technology and information systems. Here are the key aspects of human-centered risk in cybersecurity:

Social Engineering

• Phishing: Deceptive emails or messages to trick individuals into revealing sensitive information.
• Pretexting: Manipulating someone to disclose confidential information by pretending to be someone else.
• Baiting: Offering something enticing to provoke individuals to click a malicious link or download malware.

Related Reading: Living Security’s Social Engineering Guide.

• Password Management: Use of weak passwords, reusing passwords across multiple accounts, or failing to update passwords regularly.
• Clicking on Suspicious Links: Ignorance or lack of caution leads users to click on malicious links.
• Failure to Apply Updates: Systems become vulnerable by neglecting to install security patches and updates.

• Malicious Insiders: Employees or contractors who intentionally misuse their access to company resources.
• Negligent Insiders: Individuals who unintentionally cause security breaches through careless actions or poor judgment.
• Compromised Insiders: Employees whose accounts overtaken by external attackers.

Related Reading: Insider Threat Awareness Tools & Resources

• Training and Education: Insufficient training programs are available to educate employees on cybersecurity best practices.
• Awareness Campaigns: Lack of regular campaigns to remind and update employees about new and emerging threats.

• Misconfigurations: Incorrectly setting up security settings or systems.
• Data Mishandling: Accidental exposure or loss of sensitive data.
• Poor Incident Response: Inadequate or delayed response to security incidents due to lack of preparation or understanding.

• Stress and Fatigue: Higher susceptibility to making mistakes or falling for social engineering tactics.
• Overconfidence: Underestimating the risk or believing that a person cannot be the target of cyber threats.
• Distraction: Divided attention leading to errors in judgment or security practices.

Krebs agreed that mitigating the risk of employees creating unintentional breaches is essential. “Humans are the key,” he said. “They're the fastest way to undo all of the security in your organization. That's why so much cybercrime is so heavily reliant on humans. And that will fundamentally never change.” 

Krebs added, “A lot of what organizations try to pursue in the name of security awareness training ends up being more like ‘gotcha’ training, and that creates an adversarial relationship between normal users in the network and the security people.”

Related Reading: The Types of Data Breaches Workplaces Face

Artificial Intelligence is transforming the cybersecurity landscape, playing a dual role that both fortifies and challenges our digital defenses. Bad actors are now using AI to craft sophisticated phishing scams, automate the search for exploitable system weaknesses, and even develop malware that can evolve to evade detection.

In his keynote, trusted Sec CEO David Kennedy, a former CISO with two decades of experience in the field, discussed cybercriminals’ rapid move into using AI, voice cloning, and new advances in ransomware and how organizations can prepare and defend against those attacks. 

Although AI may potentially aid cybersecurity in automating threat detection, predicting vulnerabilities, and streamlining incident response with remarkable precision, Rose and Krebs addressed “breach fatigue,” how introducing AI into cybersecurity may cause more problems than it solves, and what effective cybersecurity training looks like. 

This digital arms race and constant tug-of-war underscores the need for continuous innovation in security measures, ensuring that defenders stay one step ahead in the cat-and-mouse game of modern cybersecurity.

HRMCon 2024