Human Security Engineering

Abstract: When users take a potentially harmful action, the cybersecurity industry believes that it’s a lack of awareness and the solution is more awareness. This is akin to saying that if a canary dies in a coalmine, the solution is healthier canaries. While the relationship seems natural, it is specious. It is also dangerous as these attacks are responsible for more than 90% of major incidents. The implication is that when a user fails, it is the users fault. I contend a user is a part of the system, and that when the user fails, it is really a failure of the entire system. For example, for a user to interact with a phishing message, the system first fails to recognize the message as a potential attack, and provides it to the user. While the user may choose to interact with the malicious message, the user experience leads the user to taking the action. Then should a user activate the attack in the message, it does not mean that loss is the inevitable result. Instead, the system has to facilitate the loss by allowing malware to execute, allowing the user to interact with malicious sites, or whatever the malicious action requires to succeed. I call the study of how a system as a whole facilitates loss initiated by user actions Human Security Engineering. Likewise, given that user harmful user actions can be driven by a lack of awareness, carelessness, purposeful ignoring of specified processes, or malice, I define the harmful user action as User Initiated Loss (UIL). As important, while the user may initiate a loss, it does not mean that the system should allow the loss to be realized. Human Security Engineering (HSE) essentially attempts to prevent the user from being in the position where they may initiate the loss, attempting to stop the user from initiating the loss when presented with the opportunity, and then mitigating the loss after initiation. Along with the concept of HSE, we are developing a model, similar to MITRE ATT&CK, to define the phases of User Initiated Loss, and will be presenting this model possibly for the first time. I will define UIL and show the multiple phases within each phases of pre-user action, user action, and post-user action. This will include the countermeasures to apply during each phase. I will present parallels from other disciplines, such as safety science, counterterrorism, and accounting. We will walk through multiple examples, defining how countermeasures are determined at each phase. Bio: Ira Winkler, CISSP is CISO for Skyline Technology Solutions and author of You Can Stop Stupid. He is considered one of the world’s most influential security professionals, and has been named a “Modern Day James Bond” by the media. He did this by performing espionage simulations, where he physically and technically “broke into” some of the largest companies in the World and investigating crimes against them, and telling them how to cost effectively protect their information and computer infrastructure. He continues to perform these espionage simulations, as well as assisting organizations in developing cost effective security programs. Ira also won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. CSO Magazine named Ira a CSO Compass Award winner as The Awareness Crusader. Most recently, Ira was named 2021 Top Cybersecurity Leader by Security Magazine.