Solving the "people problem" of cyber security requires us to understand why people fall victim to spear phishing. Unfortunately, the only proactive solution being used against spear phishing is user training and education. But, judging from the number of continued breaches, training appears to be limited in its effectiveness. Today's leading cybersecurity training programs focus on hooking people in repeated simulated spear phishing attacks and then showing them the nuances in the emails they missed. This "gotcha game" presumes that users merely lack knowledge, and if they are told often enough and repeatedly shown what they lack, they would become better at spear phishing detection. This is akin to trying to teach people to drive by constantly causing accidents and then pointing out why they had an accident each time.
We propose a radical change to this "one-size-fits all" approach. Recent human factors researchthe Suspicion, Cognition, Automaticity Model (SCAM) [1]identifies a small set of factors that lead to individual phishing victimization. Using the SCAM, we propose the development of an employee Cyber Risk Index (CRI). Similar to how financial credit scores work, the CRI will provide security analysts the ability to pinpoint the weak-links in organizations and identify who is likely to fall victim, who needs training, how much training, and also what the training should focus on. The CRI will also allow security analysts to identify which users get administrative access, replacing the current mostly binary, role-based apportioning method, where individuals are given access based on their organizational role and responsibilities, with a system that is based on individuals' quantified cyber risk propensity. The CRI based approach we present will lead to individualized, cognitive-behavioral training and an evidence-based approach to awarding users' admin privileges. These are paradigm-changing solutions that will altogether improve individual cyber resilience and blunt the effectiveness of spear phishing.
Arun Vishwanath studies the "people problem" of cyber security. His researchfocuses on improving individual, organizational, and national resilience tocyber attacks by focusing on the weakest links in cyber securityall of usInternet users. Arun's interest is in understanding why organizationalinsiders willingly exfiltrate sensitive organizational data; why people becomeunintentional insiders by falling prey to social engineering attacks thatcome-in through email and social media; and on ways we can harness thisunderstanding to secure cyber space. He also examines how various groups-criminal syndicates, terrorist networks, hacktivists-utilize cyber space tocommit crime, spread mis-information, recruit operatives, and radicalizeothers. Arun's research on improving cyber resilience against online socialengineering has been funded by the National Science Foundation. He has writtenand published over two-dozen articles on technology users and cyber securityissues and his research has been presented to principals at national securityand law enforcement agencies around the world. Arun's research has also beenfeatured on CNN, USA Today, Politico, and many other national andinternational news outlets.