Blunting the Phisher’s Spear: A risk-based approach for defining user training and awarding administrative privileges

People today are the weakest links in cybersecurity. Solving the “people problem” of cyber security requires us to understand why people fall victim to spear phishing. Unfortunately, the only proactive solution against spear phishing is to train and educate people. But, judging from the number of continued breaches, training appears to be limited in its effectiveness. Today’s leading cybersecurity training programs focus on hooking people in repeated simulated spear phishing attacks and then showing them the nuances in the emails they missed. This “gotcha game” presumes that users merely lack knowledge, and if they are told often enough and repeatedly shown what they lack, they would become better at spear phishing detection. We propose a radical change to this “one-size-fits all” approach. Recent human factors research—the Suspicion, Cognition, Automaticity Model (SCAM)—identifies two independent sets of factors that lead to individual phishing victimization: users’ cognitive processing schemas premised on their perceptions about the safety of online behaviors, and their habits and patterns borne out of repeated, ritualistic behaviors influenced by work culture and the types of devices people use to connect and communicate. Using the SCAM, we propose the development of an employee Cyber Risk Index (CRI). Similar to how financial credit scores work, the CRI will provide security analysts the ability to pinpoint the weak-links in organizations and identify who is likely to fall victim, who needs training, how much training, and also what the training should focus on. The CRI will also allow security analysts to identify which users get administrative access, replacing the current mostly binary, role-based apportioning method, where individuals are given access based on their organizational role and responsibilities, with a system that is based on individuals’ quantified cyber risk propensity. The CRI based approach we present will lead to individualized, cognitive-behavioral training and an evidence-based approach to awarding users’ admin privileges. These are paradigm-changing solutions that will altogether improve individual cyber resilience and blunt the effectiveness of spear phishing.