Designing a Cyber Risk Strategy for the Human Operating SystemSession: 4232
Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?
Let’s begin with a familiar story…
Start w/ story…wire transfer
• Humans are weakest link…3 elements….FBI…wire transfer…
Source: Centrify
Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?
Why did the VP of Finance fall for it?
• Trust
Source: Proofpoint Protecting People (Summer 2018)
• Trust
• Authority
Source: Proofpoint Protecting People (Summer 2018)
• Trust
• Authority
Source: Proofpoint Protecting People (Summer 2018)
• Oversharing (TMI)
• Trust – 90% of attacks use some form of display name spoofing
• Authority – 48% of email fraud scams include “payment,” “request,” and/or “urgent” in the subject line
• Oversharing – 30% increase in phishing links via social media platforms
Source: Proofpoint Protecting People (Summer 2018)
“Humans are the weakest link”
Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?
Human Operating System
(HumanOS)
• Operating System – a software that controls and manages a computer’s hardware resources
• Operating System – a software that controls and manages a computer’s hardware resources
• Human Operating System – the composition of how a human senses, processes, and transfers information, telling us how to work and driving our actions and behavior
Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?
Why does the HumanOSneed to be considered in
cybersecurity?
Our current approach to cybersecurity…
Our current approach to cybersecurity…
• Operational Perspective – focus on building cyber defenses
Our current approach to cybersecurity…
• Operational Perspective – focus on building cyber defenses
• Attack Perspective – understanding attack target (computer system) and vector/method (e.g., RAT, ransomware, DDOS)
Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?
How effective has this approach been?
Prykarpattia
Prykarpattia
In each of these breaches, there existed at least one human touchpoint that was used to
penetrate and exploit networks and systems. 93% of all breaches are attacks targeting
people (Verizon 2018 DBIR).
Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?
Why is there such a disconnect?
How we look at our architecture
Source: VMware vSphere
Source: VMware vSphere
Network, 62%Endpoint,
18%
Email, 8%
Web, 12%
Source: Gartner (2017)
IT Security Investments
Our current Defense-in-Depth strategy
Network
System
Application
Data
How they look at our architecture
Sophie Hart
Sophie HartAction Officer for Global EVP, Equinox
I’m a supply chain exec connecting customers with
innovative products to enhance their fitness lifestyle
Sophie Hart
Sophie HartAction Officer for Global EVP, Equinox
I’m a supply chain exec connecting customers with
innovative products to enhance their fitness lifestyle
• Twitter:
@F1tnessD1va
• Instagram:
@ F1tnessD1va
• Pet Name:
Chloe (Siberian
husky)
• Hobbies:
Cooking south
Asian food;
SoulCycle;
Horoscope
geek
• Volunteer:
Youth mentor at
La Jolla YMCA
• Favorite
Hangout:
Grass Skirt
• Personality
Traits:
Extrovert;
Fashionista
• High School:
San Marcos
Knights
Sophie Hart: A Divulger of Too Much Info
Email Inbox
Traffic:
~423 emails
…And a Victim of TMIAlways on:
Phone is first and
last look
Connections:
1,753 (LION)
Conferences
Attended:
20 in 2018
Speaking
Engagements:
8 in 2018
Project Teams:
leads 1
participates in 5
Mailing Lists:
fitness/fashion - 5
motivational - 2
learning - 3
Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?
How should we reframe our approach?
A modified (human-centric) Defense-in-Depth strategy
HumanOS
What does Defense-in-Depth look like for the HumanOS?
• Incorporate the HumanOS into cyber risk management
initiatives
ꟷ Critical assets and most vulnerable assets
What does Defense-in-Depth look like for the HumanOS?
• Incorporate the HumanOS into cyber risk management
initiatives
ꟷ Critical assets and most vulnerable assets
• Curate technical and operation controls for the HumanOS
ꟷ Human Defense
ꟷ Machine Defense
ꟷ Behavior Monitoring
What does Defense-in-Depth look like for the HumanOS?
• Incorporate the HumanOS into cyber risk management
initiatives
ꟷ Critical assets and most vulnerable assets
• Curate technical and operation controls for the HumanOS
ꟷ Human Defense
ꟷ Machine Defense
ꟷ Behavior Monitoring
• Change behavior and culture
ꟷ Education and continued learning
ꟷ Communications plan
• Trust
• Authority
Source: Proofpoint Protecting People (Summer 2018)
• Oversharing (TMI)
You have more influence over the HumanOS than you think
Source: VMware vSphere Source: Gartner (2017)
Future IT Security Investments*
HumanOS
Network
Endpoint
Web
*: Percentage is for illustrative purpose only
Let’s continue the conversation…
Masseh Tahiry | Risk Strategist
Caitlin Durkovich | Director
https://www.tofflerassociates.com/contact/
Building a Resilient HumanOS