It turns out that pride doesn’t come only “before the fall.” It may come before the data breach, also.
That’s the conclusion of a study by Fujitsu Laboratories of around 2,000 Japanese employees. The study found that employees who were highly confident in their own ability to use a computer were at higher risk for data leakage.
Of course, that’s contrary to what many of us believe: that tech savvy employees – and individuals – are better prepared to defend themselves against online attacks like viruses, phishing e-mails and drive by downloads. But the Fujitsu researchers discovered that underlying psychological traits drove risky behavior, rather than technical know-how.
For their experiment, the Fujitsu researchers had subjects fill out questionnaires designed to evaluate underlying personality traits like risk-taking behavior or attentiveness. They then planted monitoring software on those individuals’ computers and devised a test that presented the users with unexpected events – systems freezes and error messages – to evaluate how their subjects responded. Afterwards, the researchers compared the results of the survey to the user behavior they observed.
In the case of technical users, the researchers found that they were more likely to ignore adverse events: using keyboard combinations to end system hangs rather than trying to understand their source. Action-oriented employees (or “benefit-oriented” in the parlance of the study) would spend little time reading privacy policies designed to inform them of risks.
A risk analysis of employees surveyed found that those who work in systems engineering or software development were more susceptible to viruses, scams and data breaches that leaked personal information than colleagues who worked in customer service, management or lab environments (only employees who worked in Sales were more susceptible – shocker).
Image via Fujitsu
Of course, heaping shame (or even a dose of humility) on wayward employees isn’t the purpose of the study. Rather, the idea is to better tailor security defenses to users who most need assistance, said Fujitsu.
For example: users with a pattern of clicking on links without checking the URL might need to receive warnings about possible phishing attacks. Suspicious e-mail messages sent from departments or user accounts that are known to be ‘high risk’ may warrant escalation more quickly than messages sent from users with a lower risk score, Fujitsu said. This would be an improvement over many existing cyber security products, which protect systems and users in an undifferentiated way. Numerous studies and surveys have found that users, insiders or employees are the most common source of data breaches. While the insider threat can be challenging to mitigate, tailored security that to focus on the most at-risk users and most sensitive data is certainly a step in the right direction.
About Paul Roberts
Dan Geer on How to Mitigate the Risk of Insider Threats
Dan Geer explains how to apply the reference monitor concept to mitigate the risks presented by insiders.
Related ArticlesPanera Bread Leaked Data on Millions of Customers for Months
A security researcher notified the restaurant last August it was leaking customers' data on its website in plain text.Friday Five: 8/3 Edition
Catch up on the week’s infosec news, including ransomware trends, a big healthcare breach, and millions in cryptocurrency stolen, with this roundup!2015 Midyear Review: The Biggest Data Breaches Year to Date
2015 has been full of data breaches thus far, and it seems that personal and health records are attackers’ top targets. With the first half of 2015 in the books, let’s take a look back at some of the biggest and most impactful data breaches that have occurred.