In the article “Cybersecurity’s Human Factor:Lessons from the Pentagon”, it talks about six interconnected principles that the Navy uses to help contain the impact of human error. These safeguards include Integrity, Depth of knowledge, Procedural compliance, Forceful backup, A questioning attitude and a Formality in communication.
I believe that it is extremely important to have safeguards like these and redundancy protocols in place to make sure that nothing can go wrong. Having a person being closely monitored by another to make sure everything is correct is crucial because you have two sets of eyes and ears. Also, your personnel need to have a trusting relationship and need to not be afraid to speak up when they notice something is wrong. If someone is worried that there will be consequences for them speaking up, it could create vulnerabilities and problems in the future. Employees should not be prosecuted for speaking up when there is a problem, the should be rewarded.
In the article “Measuring the Human Factor of Cyber Security”, I believe that it is important to have proper security training of employees. For example, the phony phish system that was used to send out to users is a great way to train people on how to spot malicious emails. We recently had a phishing email test that was created by our IT Security team and it was sent out to IITS employees. The security team used a program to create a fake phishing email with a clickable link to a supposedly “malicious” site. They sent it out to all IITS staff and whoever clicked the link, the security team could track who clicked it. I was actually one of the staff members who clicked the link because it looked pretty authentic. Once I clicked the link, it brought me to a page that said “You have just participated in a malware study in your department”. It then explained ways to spot malicious emails and why not to click the links. I talked with our security team to make sure it was from them and they confirmed it was a test.
A test like this could help users spot malware, but it could also cause a distrust between actual emails that get sent out by IITS that have important information in them. There are benefits of this method such as notifying users that malware does exist, but there is also the downside of causing distrust of legitimate emails that could be sent out in the future.
In the article “A Model For Positive Change: Influencing Positive Change in Cyber Security Strategy, Human Factor, and Leadership”, it has more phishing exercise emails that were sent out to employees for security awareness. I believe that it is important for every employee to understand that it takes only one person to click a malicious link, that could cause infection of numerous computers in a company. It should be mandatory for all users to take a security class or online module so that everyone is aware that the human factor of security is just as important as the cyber factor.