The Human Factor | Cybersecurity Policy

Slide 1 of 13 | CSP-W2-01 | Week 2

The Human
Factor

Social Engineering • Insider Threats • Psychological Manipulation • Security Awareness

You can deploy the most advanced firewalls, encrypt every packet, and patch every CVE within hours -- and still get breached because someone clicked a link or held a door open. The 2024 Verizon DBIR reports that 74% of breaches involve a human element. This deck examines why people are the persistent vulnerability, how adversaries exploit them, and what policy can do about it.

13 Slides CSP-W2-01 Week 2 CIS2208 -- Cybersecurity Policy

Slide 2 of 13

Why Humans Are the Weakest Link

Technology is deterministic. People are not. Attackers exploit the gap between policy and behavior.

The Statistics

Verizon DBIR 2024: 74% of breaches involve a human element -- phishing, stolen credentials, misuse, or error. IBM Cost of a Data Breach 2024: average breach cost $4.88M, with social engineering and compromised credentials as the top two initial attack vectors. These are not edge cases -- they are the dominant attack surface.

Why Technology Alone Fails

Humans are susceptible to emotional manipulation, cognitive biases, fatigue, and time pressure -- none of which firewalls can filter. An employee who trusts a phone call from "IT support" will hand over credentials that bypass every technical control. The attack surface is the human mind, and it has no patch Tuesday.

The Core Problem

Security policies are written for rational actors who follow procedures. Attackers exploit the fact that humans under stress, distraction, or authority pressure deviate from procedures predictably. The gap between "what policy says" and "what people do" is the attack surface that social engineers exploit.

Slide 3 of 13

Social Engineering Fundamentals

The art of manipulating people into performing actions or divulging confidential information. Every technique exploits trust.

Pretexting

Attacker invents a fabricated scenario (pretext) to engage the target. "I am from IT and need your password to fix a critical issue." The pretext establishes trust and urgency. Effective because it exploits the target's desire to be helpful and compliant with authority.

Baiting

Entices the victim with something appealing -- a USB drive labeled "Salary Data Q4" left in a parking lot, a free download laced with malware. Exploits curiosity and greed. In controlled tests, 45-98% of dropped USB drives are plugged in by finders.

Quid Pro Quo

Attacker offers something (tech support, a service) in exchange for information. "I can speed up your computer if you give me remote access." Similar to baiting but involves an exchange rather than a lure. Exploits reciprocity -- the human instinct to return favors.

Tailgating

Physical social engineering. The attacker follows an authorized person through a secured door, often carrying boxes or wearing a uniform. Exploits politeness -- most people will hold the door. Also called "piggybacking." Defeats badge-access controls entirely.

Policy Takeaway

Social engineering works because it bypasses technical controls by targeting human behavior. Policies must address procedures for identity verification, challenge protocols for unknown visitors, and clear escalation paths when something feels wrong. You cannot firewall politeness.

Slide 4 of 13

Phishing Deep Dive

The most common social engineering vector. Phishing accounts for 36% of all breaches (Verizon DBIR 2024).

Spear Phishing

Targeted phishing aimed at a specific individual using personal information (job title, colleagues, recent activities). Far more effective than bulk phishing because the pretext is tailored. Often the initial vector in APT campaigns.

Whaling

Spear phishing targeting C-suite executives, board members, or other high-value individuals. Whaling emails mimic legal subpoenas, board communications, or vendor contracts. A single successful whale can authorize wire transfers worth millions.

BEC (Business Email Compromise)

Attacker compromises or impersonates a business email account to authorize fraudulent transactions. FBI IC3 reports $2.9B in BEC losses in 2023. Often involves no malware at all -- just a convincing email from a "trusted" sender requesting a wire transfer.

Vishing (Voice Phishing)

Phishing via phone calls. Attacker impersonates IT support, a bank, or law enforcement. Caller ID spoofing makes verification difficult. Particularly effective against non-technical employees. AI-generated voice cloning is making vishing dramatically more convincing.

Smishing (SMS Phishing)

Phishing via text messages. "Your package delivery failed -- click to reschedule." Exploits the trust people place in SMS compared to email. Mobile screens hide full URLs, making malicious links harder to spot. Rapidly growing vector since 2020.

Slide 5 of 13

Insider Threats: The Enemy Within

Not all threats come from outside. Insiders have legitimate access, making detection fundamentally harder.

Malicious Insider

Deliberately exploits authorized access for personal gain, revenge, or ideology. Includes data theft, intellectual property exfiltration, sabotage, and espionage. Hardest to prevent because they already have legitimate access and knowledge of security controls.

Negligent Insider

No malicious intent but causes harm through carelessness, ignorance, or fatigue. Sending sensitive data to the wrong recipient, clicking phishing links, using weak passwords, leaving devices unlocked. Responsible for the majority of insider incidents. Training is the primary countermeasure.

Compromised Insider

An otherwise innocent employee whose credentials or device have been taken over by an external attacker. The insider is a victim but their access is the weapon. Detection requires behavioral analytics -- the account acts normally until it suddenly does not.

Cost Impact

Ponemon Institute 2023: average cost of an insider threat incident is $16.2M per organization per year. Negligent insiders are cheapest per incident ($6.6M average) but most frequent. Malicious insiders average $4.1M per incident but cause greater reputational damage. Containment takes an average of 86 days.

Slide 6 of 13

Insider Threat Indicators

Detection depends on recognizing patterns across behavioral, digital, and organizational signals before damage is done.

Behavioral Indicators

• Working unusual hours without justification
• Expressing disgruntlement or grievances about the organization
• Sudden interest in projects outside their scope
• Resistance to oversight or auditing
• Unexplained financial changes (sudden wealth or distress)
• Discussing resignation while increasing data access

Digital Indicators

• Accessing files or systems outside normal pattern
• Large or unusual data downloads or transfers
• Use of unauthorized USB drives or cloud storage
• Attempting to access restricted resources
• Disabling security tools or logging
• Emailing sensitive data to personal accounts

Organizational Indicators

• Upcoming termination or layoff (flight risk period)
• Passed over for promotion
• Disciplinary action or performance issues
• Contractor with access but low organizational loyalty
• Recent merger/acquisition creating job uncertainty
• Departing employee in notice period

Detection Strategy

No single indicator is proof of malicious intent. Insider threat programs use behavioral analytics (UEBA -- User and Entity Behavior Analytics) to establish baselines and detect anomalies. The key is correlating signals across categories: a disgruntled employee (behavioral) who starts downloading large datasets (digital) after being passed over for promotion (organizational) represents a converging risk pattern.

Policy Requirement

NIST SP 800-53 requires insider threat programs for federal systems (PM-12). CISA's Insider Threat Mitigation Guide recommends formal programs for all organizations. An effective program requires HR, IT Security, Legal, and Management working together -- it cannot be a purely technical solution.

Slide 7 of 13

Security Awareness Training

The primary countermeasure for human-element risk. But not all training programs are created equal.

What Works

Frequent, short modules (monthly micro-training). Role-based content (executives get BEC training, developers get secure coding). Gamification and competition. Positive reinforcement for reporting. Just-in-time training after a failed simulation. Simulations that mirror real threats the organization faces.

What Fails

Annual checkbox compliance training. Generic content not tailored to role or industry. Punitive responses to failed phishing tests (creates fear of reporting). Death-by-PowerPoint approach with no interactivity. No follow-up measurement. Training without executive participation sends the message that security is someone else's problem.

Evidence of Effectiveness

SANS 2023 Security Awareness Report: organizations with mature awareness programs see phishing click rates drop from 30-40% to under 5% within 12-18 months. However, training decay is real -- without reinforcement, click rates rebound within 4-6 months. Frequency matters more than duration.

Slide 8 of 13

Psychological Manipulation: Cialdini's Principles

Social engineers weaponize the same influence principles that marketers and leaders use ethically. Robert Cialdini identified six (now seven) principles of persuasion.

Authority

People comply with requests from perceived authority figures. Attackers impersonate CEOs, IT directors, law enforcement, or auditors. "This is the CFO -- I need you to process this wire transfer immediately." The uniform, title, or email domain is the weapon.

Urgency / Scarcity

Time pressure bypasses critical thinking. "Your account will be locked in 30 minutes." Scarcity creates fear of loss. Under urgency, people skip verification steps they would normally follow. Nearly every phishing email uses urgency as a trigger.

Social Proof

People follow what others are doing. "The rest of your team has already updated their credentials." If the attacker can name specific colleagues who "complied," the target assumes the request is legitimate. Herding behavior overrides individual skepticism.

Defense Through Awareness

Teaching employees to recognize these manipulation techniques is the most effective countermeasure. When someone understands that urgency is a deliberate pressure tactic, they are more likely to pause and verify. The goal is not to make people suspicious of everything -- it is to create a "think before you act" reflex when influence principles are being applied to security-relevant decisions.

Slide 9 of 13

Case Studies: Twitter 2020 and Edward Snowden

Two defining incidents that illustrate social engineering and insider threats at the highest level.

Twitter Hack (July 2020) -- Social Engineering

What happened: Attackers compromised 130 high-profile Twitter accounts (Obama, Musk, Apple) to promote a Bitcoin scam, netting $120,000.

How: A 17-year-old coordinated phone-based social engineering (vishing) targeting Twitter employees. Attackers called employees pretending to be IT staff, directed them to a fake internal VPN page, and captured credentials. Once inside, they accessed internal admin tools.

Why it matters: No malware. No zero-days. No technical exploit. Pure social engineering. The attackers manipulated employees using authority ("I am from IT") and urgency ("VPN issue needs immediate attention"). Multi-billion-dollar company compromised by phone calls.

Policy lesson: Internal tools need the same access controls as external systems. Out-of-band verification for credential requests. Admin tool access should require hardware MFA.

Edward Snowden (2013) -- Insider Threat

What happened: NSA contractor Edward Snowden exfiltrated an estimated 1.5 million classified documents revealing mass surveillance programs, causing the largest intelligence leak in U.S. history.

How: Snowden had system administrator privileges as a contractor at an NSA facility in Hawaii. He used his legitimate access to copy classified materials onto thumb drives. He reportedly persuaded colleagues to share their login credentials by claiming he needed them for his sysadmin duties.

Why it matters: A single insider with privileged access and motivation caused catastrophic damage to national security. Technical controls (DLP, USB restrictions) and behavioral monitoring that existed were insufficient or improperly configured.

Policy lesson: Least privilege must apply to contractors and admins. Separation of duties for sensitive operations. USB port restrictions on classified systems. Insider threat monitoring for privileged users.

Common Thread

Both incidents demonstrate that technology alone cannot prevent human-element breaches. The Twitter hack exploited employee trust via social engineering. Snowden exploited legitimate access and social manipulation of colleagues. In both cases, the human was the attack vector that bypassed every technical control in place.

Slide 10 of 13

Building a Security Culture

Security culture is the shared attitudes, norms, and behaviors around security within an organization. It cannot be mandated -- it must be cultivated.

Tone from the Top

Culture flows downward. When the CEO participates in phishing simulations, follows clean desk policies, and visibly prioritizes security, employees follow. When leadership bypasses controls for convenience, employees learn that security is optional. Executive buy-in is not a nice-to-have -- it is the foundation.

No-Blame Reporting

Employees must feel safe reporting suspicious activity and security mistakes without fear of punishment. A no-blame culture dramatically increases incident reporting rates. If an employee who clicks a phishing link gets reprimanded, the next employee who clicks will hide it. Hidden incidents become breaches.

Reporting Mechanisms

One-click "Report Phishing" buttons in email clients. Anonymous tip lines. Clear escalation procedures. The easier it is to report, the more reports you get. Organizations with accessible reporting mechanisms detect incidents an average of 50% faster than those without.

Positive Reinforcement

Reward employees who report phishing attempts, identify tailgaters, or flag suspicious behavior. Recognition programs, gamification, and security champion designations within departments create peer-driven motivation. Punishment drives hiding; recognition drives vigilance.

Slide 11 of 13

Measuring Human Risk

What gets measured gets managed. Human risk metrics transform security awareness from a compliance checkbox into a strategic function.

MetricWhat It MeasuresWhy It Matters Phishing Click Rate% of employees who click simulated phishing linksDirect measure of susceptibility. Industry benchmark: 2-5% is good. Report Rate% of employees who report simulated phishingMore important than click rate. High report rate = engaged security culture. Time to ReportMinutes between email delivery and first reportSpeed of detection. Faster reports = faster containment of real attacks. SAT Completion% of employees who complete security awareness training on timeCompliance baseline. Below 90% indicates management enforcement gaps. Repeat Offenders% of employees who fail multiple simulationsIdentifies individuals needing targeted intervention or role reassignment. Risk Score TrendComposite score tracked over 6-12 monthsShows whether the program is improving organizational resilience over time.

Slide 12 of 13

Key Takeaways

The human factor is not a problem to be solved -- it is a risk to be continuously managed through policy, culture, and measurement.

1 74% of breaches involve a human element. Technology alone cannot solve a human problem. Every security strategy must account for how people actually behave, not how policy says they should.

2 Social engineering exploits trust, authority, urgency, and reciprocity. Pretexting, baiting, quid pro quo, and tailgating bypass technical controls by targeting the human operating system.

3 Phishing remains the dominant initial attack vector. Spear phishing, whaling, BEC, vishing, and smishing each require different awareness training approaches. One-size-fits-all training misses the mark.

4 Insider threats come in three forms: malicious, negligent, and compromised. Negligent insiders cause the majority of incidents. Detection requires correlating behavioral, digital, and organizational indicators.

5 Security awareness training works -- but only when it is frequent, role-based, measured, and reinforced. Annual compliance training without follow-up creates false confidence, not real resilience.

6 Cialdini's influence principles (authority, urgency, social proof, reciprocity, commitment, liking) are the attacker's playbook. Teaching employees to recognize these triggers is the strongest inoculation.

7 Security culture must be built from leadership down. No-blame reporting, positive reinforcement, and visible executive participation are the pillars. Punitive cultures drive incident hiding.

8 Measure human risk with phishing click rates, report rates, time to report, SAT completion, repeat offenders, and composite risk scores. What gets measured gets managed -- and improved.

What Comes Next

These concepts connect directly to policy development. When you write an acceptable use policy, you are addressing negligent insiders. When you mandate phishing simulations, you are measuring human risk. When you establish a reporting hotline, you are building security culture. The human factor is not a chapter in cybersecurity -- it is the substrate on which every other chapter is built.

Slide 13 of 13 | Complete

Presentation
Complete

The Human Factor -- 13 slides

Social Engineering • Phishing • Insider Threats • Threat Indicators • Security Awareness • Cialdini's Principles • Case Studies • Security Culture • Human Risk Metrics

CIS2208 Cybersecurity Policy Week 2