By Calvin Nobles
The Anti-Phishing Working Group recently reported that banks account for approximately 20% of successful phishing attacks, a form of cognitive hacking, and consistently rank in the top five industries for phishing attacks (APWG, 2020). It is important to note that cognitive attacks are engineered so that employees aid cybercriminals or hackers in executing the cognitive attack—in which employees are oblivious to contributing to the attack. Without a doubt, human weaknesses and limitations remain a viable attack vector for cybercriminals. Further compounding the issue is that human factors are undervalued and underutilized in cybersecurity (Nobles, 2018).
What exactly is the human factor? Human factors as a scientific field is “….a multidisciplinary effort to generate and compile information about human capabilities and limitations and apply that information to equipment, systems, facilities, procedures, jobs, environments, training, staffing, and personnel management for safe, comfortable, and effective human performance,” (FAA Human Factors, 1993). Simply put, human factors engineering is a scientific approach to improve system design to optimize human behavior and human performance while interacting with information systems, technologies and digital platforms. At issue is the lack of human factors initiatives in cybersecurity.
A significant threat to businesses’ cybersecurity strategy is the human element since humans are the largest vulnerability that adversely impacts information security, data privacy and data management. Even though human factor engineering is emerging in cybersecurity, domains such as aviation, nuclear power/energy, and health care leverage human factors initiatives to prevent catastrophic events and reduce human-based risk. Cybersecurity is plagued by human behavior, human performance issues, and human errors and mistakes.
A growing phenomenon in cybersecurity is hackers transitioning from attacking hard targets (systems and technologies) to assaulting soft targets—the human mind (Bone, 2017). Humans are the weakest link or largest vulnerability in cybersecurity (Bone, 2017). Unfortunately, in today’s cybersecurity environment, the absence of cognitive scientists and human factors practitioners to investigate and reduce high friction points around human performance and behavior (National Security Agency, 2015). This significant oversight enables hackers to wreak havoc on people due to the lack of mitigative solutions.
In this new era of cybersecurity, cognitive hacking relies on modifying human user’s viewpoints and subsequent behavior to execute the hack successfully (Bone, 2017). Cognitive hacking is synonymous with phishing, spear phishing and social engineering (Bone, 2017). The complexity of cognitive hacking continues to advance while malicious actors leverage many delivery mechanisms to deceive users cognitively. Given the absence of human factor practices in cybersecurity, the increasing use of cognitive hacks further compounds and places businesses at a disadvantage—especially since humans as the largest vulnerability.
The AFP 2021 session, “Human Factors: The Greatest Threat to Your Cybersecurity Strategy,” provides a high-level perspective on cognitive attacks and the need for human factors initiatives to reduce human-based risk factors in cybersecurity. This session is essential to treasury and finance professionals because the financial/banking industry constantly faces a bombardment of social engineering and cognitive attacks, ranking consistently in the top three most targeted industries (Nobles, 2021).
Three major challenges impacting the advancement of human factors as a scientific discipline in cybersecurity are:
- Senior managers require more awareness of human factors as a scientific discipline and the associated business values.
- Fundamentally, human factors education is missing from degree and certification programs.
- Human factors practitioners are omitted from the cybersecurity workforce.
Key takeaways from this session are an increased need for human factors initiatives and an extensive focus on the human element to counter cognitive attacks in cybersecurity. Senior managers must grasp the significance of human factors as a scientific discipline and work to partner and integrate human factors practitioners into cybersecurity operations. In addition, working with senior leaders to understand the business value of human factors in cybersecurity can help reduce high friction areas in human performance and underutilization of human factors.
Don’t miss Calvin Nobles and Linda Cascardo’s AFP 2021 session, “Human Factors: The Greatest Threat to Your Cybersecurity Strategy,” and check out all the sessions on the AFP 2021 SESSION EXPLORER. Register for the conference HERE.
Anti-Phishing Working Group [APWG]. (2020). Anti-phishing Activity Trends Report, 4th
Quarter 2020. Retrieved from https://apwg.org/trendsreports/
Bone, J. (2017). Cognitive Hack: The New Battleground in Cybersecurity... the Human
Mind. CRC Press.
FAA Human Factors Policy. (1993, October 27). Retrieved from
National Security Agency (2015). Science of Security (SoS) Initiative Annual Report 2015.
Retrieved from http://cpsvo.org/sos/annualreport2015
Nobles, C. (2021). Banking Cybersecurity Culture Influences on Phishing Susceptibility
(Doctoral dissertation, Temple University).