It turns out that pride doesn’t come only “before the fall.” It may come before the data breach, also.
That’s the conclusion of a study by Fujitsu Laboratories of around 2,000 Japanese employees. The study found that employees who were highly confident in their own ability to use a computer were at higher risk for data leakage.
Of course, that’s contrary to what many of us believe: that tech savvy employees – and individuals – are better prepared to defend themselves against online attacks like viruses, phishing e-mails and drive by downloads. But the Fujitsu researchers discovered that underlying psychological traits drove risky behavior, rather than technical know-how.
For their experiment, the Fujitsu researchers had subjects fill out questionnaires designed to evaluate underlying personality traits like risk-taking behavior or attentiveness. They then planted monitoring software on those individuals’ computers and devised a test that presented the users with unexpected events – systems freezes and error messages – to evaluate how their subjects responded. Afterwards, the researchers compared the results of the survey to the user behavior they observed.
In the case of technical users, the researchers found that they were more likely to ignore adverse events: using keyboard combinations to end system hangs rather than trying to understand their source. Action-oriented employees (or “benefit-oriented” in the parlance of the study) would spend little time reading privacy policies designed to inform them of risks.
A risk analysis of employees surveyed found that those who work in systems engineering or software development were more susceptible to viruses, scams and data breaches that leaked personal information than colleagues who worked in customer service, management or lab environments (only employees who worked in Sales were more susceptible – shocker).
Image via Fujitsu
Of course, heaping shame (or even a dose of humility) on wayward employees isn’t the purpose of the study. Rather, the idea is to better tailor security defenses to users who most need assistance, said Fujitsu.
For example: users with a pattern of clicking on links without checking the URL might need to receive warnings about possible phishing attacks. Suspicious e-mail messages sent from departments or user accounts that are known to be ‘high risk’ may warrant escalation more quickly than messages sent from users with a lower risk score, Fujitsu said. This would be an improvement over many existing cyber security products, which protect systems and users in an undifferentiated way. Numerous studies and surveys have found that users, insiders or employees are the most common source of data breaches. While the insider threat can be challenging to mitigate, tailored security that to focus on the most at-risk users and most sensitive data is certainly a step in the right direction.
About Paul Roberts
Dan Geer on How to Mitigate the Risk of Insider Threats
Dan Geer explains how to apply the reference monitor concept to mitigate the risks presented by insiders.
Related Articles2017 Data Breach Report Finds Phishing, Email Attacks Still Potent
Phishing of employees and malicious attachments sent in email messages are still the main causes of data breaches, despite warnings, Verizon said in its latest Data Breach Investigation Report.For Data Thieves, the Internet of Easy Pickings
Leaks of data from the U.S. Military’s Special Operations Command (SOCOM) show that many data breaches are just a matter of picking low hanging fruit.Email Addresses of 92 Million Users Spilled in MyHeritage Breach
The genealogy site MyHeritage said Monday that it suffered a breach last year that exposed 92 million of its users emails and hashed passwords.