Cybersecurity: How to Involve People in Risk Mitigation

Cybersecurity: how to involve people in risk mitigation

Cefriel presented the white paper “Cyber Security and the Human Element”, an in-depth look at how to analyze and understand the connections between the human element and cybersecurity for a new approach to risk mitigation.

Milan, 4 July 2024 – As part of the European projects CYRUS and SEC-AIRSPACE, Cefriel, a digital innovation center founded by Politecnico di Milano, published the new white paper “Cyber Security and the Human Element – Risks and mitigation interventions, starting from people”. The text – by Enrico Frumento, Cybersecurity Research Lead at Cefriel – explains why people are required to become aware of their role in corporate defense and protection mechanisms and how to intervene so that they can actively participate in the prevention and mitigation of cyber-attacks.

The emerging threat related to artificial intelligence is accompanied by some gaps in cyber management that have not been fully filled yet, especially in the supply chain and OT and IoT environments. The comparison between the level of maturity in the various sectors and the percentage of cyber-attacks recorded in Europe and Italy in the first half of 2023 indicates that the Public Administration sector is still the most affected by cyber-attacks, recording 19% of attacks in Italy and 23% in Europe. Also significant is the number of attacks suffered by the industry sector (17%), which is more than double the European average (7%), demonstrating that there is still much to be done for industries on cybersecurity aspects. Critical factors that require intervention, according to the Netconsulting report, are particularly training and resources to be allocated for IT security investments. Resources are not always sufficient, although they are growing by more than 12% per year.

Why should you start from the human element in cybersecurity strategies?

At present, a large part of the cybersecurity market focuses on the technical aspects of an attack, while little work is done on the so-called “human element”. This last one plays a central role according to the World Economic Forum’s Global Risk Report, given that risks related to people’s behavior account for almost 95% of the total amount.

Enrico Frumento, Cybersecurity Research Lead at Cefriel, explains: “In cybersecurity people are too often blamed when a cyber incident occurs, as if they were just another source of cyber risk to be dealt with. But people are not computer systems, hence, they need specific solutions. We should start by asking ourselves how a threat analysis can be carried out on people, how a company can calculate the cyber risk related to a person, and how many effective ways there are to reduce it. In general, how can you rethink security starting from the so-called human element. That’s what we thought about when we wrote this white paper.”

What approach should you take to defend and protect your business?

As explored in the white paper, people must be an integral and active part of the corporate defense and protection process, with the ultimate goal of inducing a stable behavioral change in people. To do this, the “human element” issue of cybersecurity needs to be addressed with a multicultural and holistic approach, including the human factor, human sciences, governance and technologies, to ensure sustainable cybersecurity over time both in terms of economics and of technologies, processes, people, and skills.

“Given that the aim of an attacker is always the same,” Frumento explains, “attacking a person instead of an IT system implies a different process that requires the modification of the attack tactics, with the involvement of social engineering and human sciences, such as psychology or behavioural sciences and the theories related to the management and modelling of human errors”.

Social Driven Vulnerability Assessments, like any Vulnerability Assessment or Penetration Test, are an extemporaneous sampling of cyber risk that loses its validity when many variables change. Therefore, we can start from a Human Risk Management model to enter the paradigm of continuous security, starting from people. Taking advantage of this means transforming training from a professional training or retraining tool into a cyber risk reduction tool that can increase the resilience of organizations.

The white paper can be downloaded for free at this link: https://www.cefriel.com/whitepaper-en/cybersecurity-how-to-involve-people-in-risk-mitigation/?lang=en

About CYRUS

The CYRUS (A personalized, customized, work-based training framework for enhanced CYbeR-security skills across indUstrial Sectors) project, GA no. 101100733, will develop an innovative cybersecurity training system for employees in the transportation and manufacturing sectors. Traditional training courses can be challenging for SMBs, but CYRUS leverages virtualization, simulations, and work-based learning to provide effective and personalized training courses based on each employee’s role, skills, and aptitude. The goal is to create an “innovation DNA” for cybersecurity, promoting awareness and best practices. With CYRUS, employees at all levels can gain the skills and knowledge needed to identify and respond to cyber threats, helping protect their businesses from attacks. Website: https://www.cyrus-project.eu/.

About SEC-AI RSPACE

The SEC-AIRSPACE project (Cyber SECurity Risk Assessment in virtualized AIRSPACE scenarios and stakeholders’ awareness of building resilient ATM), GA no. 101114635, helps create more resilient Air Traffic Managers (ATMs) by focusing on reducing the risks of virtualization and increasing data sharing between all ATM infrastructure components and stakeholders. The project will improve the state of the art of the security risk assessment methodology currently adopted in ATM with leading cybersecurity components. Furthermore, the project will investigate the potential of applying the People Analytics (PA) concept to increase cybersecurity awareness in ATM organizations. The project results will be validated and demonstrated through two realistic use cases, involving stakeholders. Website: https://www.sesarju.eu/projects/sec-airspace/.

Cefriel, digital innovation as a driver for the country’s development

Cefriel is a not-for-profit digital innovation center, founded in 1988 by the Polytechnic University of Milan to help the country’s businesses, society, and economy grow and develop by using and expanding skills and knowledge in the field of technologies and digital services. The center’s mission is to make digital innovation to benefit the country, organically combining research, innovation, and training, as well as leveraging the skills and knowledge from the world of research, companies, and the public administration. Cefriel has been a Benefit Corporation since 2023, to help generate a positive impact on society, the Country system, and the environment through digital innovation. Cefriel’s activities fall into three key action areas: development of the company’s strategic vision and its implementation through innovative service and technology adoption plans; design and development of innovative products, services, and processes; development of the company’s know-how, organizational models, and processes so it can operate successfully on the market and grow responsibly and sustainably. By using methods, approaches, tools, and models based on state-of-the-art international research and innovation, Cefriel helps companies and the public administration define their vision and establish their strategies for seizing on digital technologies, helping them scout and assess innovative technologies, then build and manage a portfolio of digital innovation projects.

About the Author

Enrico Frumento is the Cybersecurity Research Lead of the Cefriel innovation center. Enrico specializes in cybersecurity and has worked in this field for several years, in both Italy and other European countries. His work on the subject has been published in international journals and books. He is also a member of leading European organizations that deal with cybersecurity. He has conducted over 20 years of research focused on unconventional security, cybercrime intelligence tactics, techniques and technology, countering social engineering, and cyber risk calculation systems for the assessment of vulnerabilities within organizations

Frumento can be reached online at [email protected] and at our company website https://www.cefriel.com/