Student Number: 202040666
Individual AssignmentCourse: 600556_A20_T1: Cybersecurity and Organisational Resilience
. Word Count: 1922
Human Factors to Cybersecurity
List of Contents
List of Contents………………………………………………………………………………..1
Introduction………………………………………………………………………………...….2
General Social Engineering……………………………………………………………………3
Attack Vectors…………………………………………………………………………………4
Conclusion……………………………………………………………………………………..6
References……………………………………………………………………………..………6
1
�Student Number: 202040666
Individual AssignmentCourse: 600556_A20_T1: Cybersecurity and Organisational Resilience
. Word Count: 1922
Introduction
In the world of cybersecurity or cyberspace, data and information on various
corporations and the market that they operate in can be found simply by typing down their
name, not only in Google but on other platforms where they have established a network that
enables them to contact their customers and other entities that have a direct engagement with
the business. Nowadays the use of the internet, also called the “Internet of Things”, have
become so common in business because they require data and information on the market and
their competitors. Note that in a business, almost all of the employees have access to certain
information that is stored in the company’s database, if they have one that is, and with only to
an extent of their level of clearance to the data that is stored. Each and every one of the
employees are from various backgrounds which might influence they work as well because
not everyone in an organisation works the same way, in the same pace or even if they are fit
for tasks that were assigned to them. It really comes down to management that monitors their
employees’ behaviours and performance throughout the period of their completion of their
tasks but there are some studies which counter that method of engagement with the
employees (Hadlington, 2017). Therefore, there are some ethical borderlines that companies
must consider not crossing to avoid any backlashes coming from the employees whose rights
have been violated or from labour groups that those employees might have affiliations with
which could potentially result in negative impacts towards the economy. Hadlington, (2017)
stated that human behaviour is at risk in being tempered by the frequent usage of the internet
which blurs their perspective of reality which makes them do unspeakable things or behave
erratically towards other people that are around them. Deducing from that, people need to be
monitored at times such as these in order to project what sort of behavioural trend might
show up during working hours where it’s vital to stay focused and keep cool in situations
where there are a lot of pressure that could amplify their erratic behaviour to a point where
they have to leave their workplace which could hinder progress. As Nobles, (2018) stated,
human behaviour in an organisation does not always come first when it comes to structuring
and forming business strategies which could lead to more serious scenarios that are harder to
get out of as an organisation because, as mentioned previously, it could affect third party
stakeholders. Beyond this point, businesses and private corporations tend to get into further
2
�Student Number: 202040666
Individual AssignmentCourse: 600556_A20_T1: Cybersecurity and Organisational Resilience
. Word Count: 1922
training in order to familiarise themselves more with countering erratic employee behaviours
around entries of data such as their own workspaces. Furthermore, businesses also work
together or buy products from cybersecurity companies such as HBGary that usually sells
products to the US Federal Government and other private companies (Gyunka and Christiana,
2015).
General Social Engineering
However, the safety and security for any institutions or even cybersecurity
companies, such as HBGary, cannot always be invulnerable to cyberattacks due to the fact
the existence of insider threats caused by their own employees because of what is know as
general social engineering (Gyunka and Christiana, 2015). Such attacks are difficult to
anticipate because it involves with a multitude of methods or ways an attack could occur to
anyone in the company; these attacks usually show up as everyday things but with malicious
contents that hide within them to make it harder for the average employee to notice them
(Aldawood and Skinner, 2019a). The perpetrators not only have extensive knowledge on
cybernetics or computing but they are likely to also have extensive knowledge in human
behaviour in society which gives them the ability to deceive people and manipulate their train
of thought even when they are fully conscious of what they are doing, therefore many of
these insider threats are rendered as unintentional (Hatfield, 2018). It can be deduced that the
cybercriminals have transcended in their exploitations by shifting their focus from the
technical side of the attacks, on computer systems and cyber networks, and more towards the
social side of the attacks which targets humans and their psyche (Aldawood and Skinner,
2019b). Although, there are some similarities between hacking into a computer system and
hacking into a person’s psyche, even from the terms themselves they are about the same,
where the only difference is that computer systems are non-living and synthetic unlike
humans, so it is easier to hack into and track because it is made and meddled with by humans.
While humans are the sophisticated creations of God that have evolved for the past thousands
of years, our psyches have also evolved since then, thus enabling us to critically analyse and
elaborate on our senses and perspectives; which makes it a taxing in-depth learning process to
3
�Student Number: 202040666
Individual AssignmentCourse: 600556_A20_T1: Cybersecurity and Organisational Resilience
. Word Count: 1922
master the practice of manipulation and deception by deciphering the human mind and their
vulnerabilities (Okenyi and Owens, 2007). A process that could prevent human hacking is as
difficult as it sounds; computer systems have their own protective barrier which blocks off
malicious digital entities from penetrating through the system such as a firewall, on the other
hand, humans have it differently which is mostly built from experiences that they had with
similar situations that makes them more cognitively aware of what happens in front of them
(Okenyi and Owens, 2007).
When it comes to decision making at a managerial level, an easily implementable
solution would be to introduce a cybersecurity system that monitors and tracks employees’
digital footprints whenever they are scouring through the company’s database; however, it is
not sufficient to fully prevent insider threats from escalating even further. Training programs
on cybersecurity awareness yields better results in de-escalating insider threats by directly
informing the employees of its danger and the deceptive ways the perpetrator conducts their
malicious intents by sneaking in misleading data or gateways to malicious software that could
attack the integrity of the company’s database (Aldawood and Skinner, 2019b). Regardless of
how effective those strategies are, there is one main factor which limits extensive
implementations of the mentioned strategies which is money (Okenyi and Owens, 2007).
Attack Vectors
There are many means that allow entry of malicious software into computer systems
owned by businesses such as through espionage, installation of a backdoor route by installing
a hardware directly into the computer system which allows direct entry and eventually
gaining full control over the system. These are just the general terms of attacks on
invulnerabilities in the system; digging deeper into the spectrum of cyberattacks, a
cyberattack does not happen all at once but it happens step-by-step with different procedures
that has their own sequence of events leading to faults in each and every one of the
invulnerabilities that have been affected by the series of attack vectors. In order for a
cyberattack to be successful, it has to gain entry on the different stages of invulnerabilities
4
�Student Number: 202040666
Individual AssignmentCourse: 600556_A20_T1: Cybersecurity and Organisational Resilience
. Word Count: 1922
that are unique to each other. It takes a surmount of time and effort to pull off a successful
attach because these attack vectors can be countered easily if detected by the computer
system’s own malware scanner. Before getting into a massive system breach, there is a series
of attack vectors which come in a chronological order with each of them opening or
accessing the different parts of the main computer system owned by a company (Khera,
2017). One of the attack vectors is the misconfiguration of the default settings, or settings that
were not configured correctly, of the computer system’s network which allows passage for
more attack vectors to occur on later stages of entering the main system. Afterwards, another
attack vector would be to gain clearances in order for the perpetrators to fully explore what is
around the cyberspace that is within the main computer system and also allowing them to
further reach beyond what is in the main system but other networks as well that are connected
to it which is known as a Kernel Flaw. What follows after that would be a buffer overflow
which is basically the tempering of codes in the system that, when executed, will cause faults
on other operations that is outside of the main system. Lastly, it is where everything is let
loose; the integrity of the main system and the database that is connected to it has been
neutralised, failures of nodes that are connected to the same network as the main system
causing widespread disturbances on several other operations, and finally the inaccessibility to
vital data or even the system which were accessible at the level of administration. With the
entire system compromised, unpredictable events could unfold because they are now in the
hands of the perpetrators that infiltrated their system after completing those different
breaches. Naturally and according to the procedures, during situations like this the company
would try to gain back control of the system by decrypting the path that the perpetrators have
made into the system to cut their connection entirely (Nag, Dasgupta and Deb, 2014).
In many of these cases, the very first event, which leads to the series of attack
vectors, are usually planned out accidents that involve in being brought into the system
without being noticed such as being carried inside of USB hard drives which are then inserted
into one of the nodes in the entire system network or when one of the nodes’ users, an active
employee in the company that have no affiliations with the perpetrators, accidentally clicks
on malicious contents on the web; which is commonly known as an unintentional insider
threat(UIT). Now these people who suddenly got themselves involved usually have non-
malicious intents towards the company or those who work around him because they just
5
�Student Number: 202040666
Individual AssignmentCourse: 600556_A20_T1: Cybersecurity and Organisational Resilience
. Word Count: 1922
happen to accidentally give access to the perpetrators by interacting with everyday things
which happened to malicious contents that are disguised as everyday things. It does not only
happen in the employees’ designated workplace but it could also occur at home or on their
way to work by interacting with phishing sites that the user has failed to notice. (Greitzer et
al., 2014). Awareness of their surroundings are greatly influenced by their cognitive ability
that they have manifested throughout their working experiences in the company, therefore
having a bad working environment could easily stress the employee and deteriorate their
cognitive ability (Greitzer et al., 2014)
Conclusion
To sum things up, it can be deduced that the attack on corporations, no matter the
size, are usually done by insider threats instead of espionage done by an external entity
because it is one of the easiest forms of breaching the system. What makes it easy is the fact
that the ones who initiated the sequence of cyberattacks are the employees working in the
company by having to accidentally give the perpetrators access into their system. This is
because they are humans in the end, with an extremely vulnerable psyche, compared to that
of a computer system with a very strong firewall installed, that can be easily manipulated by
the practice of social engineering. Nevertheless, people in an organisation will find come up
with innovative ideas to ensure a positive outcome whenever they are in the face of an
incoming catastrophe which is their organisational resilience. It all comes down to the
decisive actions at the managerial level which heavily influences the performance and the
awareness of the risks and signs of cyberattacks within the company because there is no other
way to instil precautionary measures that will reach out to everyone in the company.
References
Aldawood, H. and Skinner, G. (2019a) ‘An academic review of current industrial and commercial
cyber security social engineering solutions’, ACM International Conference Proceeding Series, pp.
110–115. doi: 10.1145/3309074.3309083.
Aldawood, H. and Skinner, G. (2019b) ‘Educating and Raising Awareness on Cyber Security Social
6
�Student Number: 202040666
Individual AssignmentCourse: 600556_A20_T1: Cybersecurity and Organisational Resilience
. Word Count: 1922
Engineering: A Literature Review’, Proceedings of 2018 IEEE International Conference on
Teaching, Assessment, and Learning for Engineering, TALE 2018, (December), pp. 62–68. doi:
10.1109/TALE.2018.8615162.
Greitzer, F. L. et al. (2014) ‘Unintentional insider threat: Contributing factors, observables, and
mitigation strategies’, Proceedings of the Annual Hawaii International Conference on System
Sciences, pp. 2025–2034. doi: 10.1109/HICSS.2014.256.
Gyunka, B. A. and Christiana, A. O. (2015) ‘Analysis of human factors in cyber security : A case
study of anonymous attack on HBgary’, Computing and Information Systems, 2, pp. 10–19. Available
at: http://cis.uws.ac.uk/research/journal.
Hadlington, L. (2017) ‘Human factors in cybersecurity; examining the link between Internet
addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours’, Heliyon,
3(7), p. e00346. doi: 10.1016/j.heliyon.2017.e00346.
Hatfield, J. M. (2018) ‘Social engineering in cybersecurity: The evolution of a concept’, Computers
and Security, 73, pp. 102–113. doi: 10.1016/j.cose.2017.10.008.
Khera, M. (2017) ‘Think Like a Hacker: Insights on the Latest Attack Vectors (and Security Controls)
for Medical Device Applications’, Journal of Diabetes Science and Technology, 11(2), pp. 207–212.
doi: 10.1177/1932296816677576.
Nag, A. K., Dasgupta, D. and Deb, K. (2014) ‘An Adaptive Approach for Active Multi-Factor
Authentication’, 9th Annual Symposium on Information Assurance, pp. 39–47. Available at:
http://www.albany.edu/iasymposium/proceedings/2014/ASIA14Proceedings.pdf#page=49.
Nobles, C. (2018) ‘Botching Human Factors in Cybersecurity in Business Organizations’,
HOLISTICA – Journal of Business and Public Administration, 9(3), pp. 71–88. doi: 10.2478/hjbpa-
2018-0024.
Okenyi, P. O. and Owens, T. J. (2007) ‘On the anatomy of human hacking’, Information Systems
Security, 16(6), pp. 302–314. doi: 10.1080/10658980701747237.
