Cybersecurity: how to involve people in risk mitigation?

Cefriel presented the white paper “Cyber Security and the Human Element”, an in-depth look at how to analyze and understand the connections between the human element and cybersecurity for a new approach to risk mitigation.

As part of the European projects CYRUS and SEC-AIRSPACE, Cefriel, a digital innovation center founded by Politecnico di Milano, published the new white paper “Cyber Security and the Human Element – Risks and mitigation interventions, starting from people”. The text – by Enrico Frumento, Cybersecurity Research Lead at Cefriel – explains why people are required to become aware of their role in corporate defense and protection mechanisms and how to intervene so that they can actively participate in the prevention and mitigation of cyber-attacks.

The emerging threat related to artificial intelligence is accompanied by some gaps in cyber management that have not been fully filled yet, especially in the supply chain and OT and IoT environments. The comparison between the level of maturity in the various sectors and the percentage of cyber-attacks recorded in Europe and Italy in the first half of 2023 indicates that the Public Administration sector is still the most affected by cyber-attacks, recording 19% of attacks in Italy and 23% in Europe. Also significant is the number of attacks suffered by the industry sector (17%), which is more than double the European average (7%), demonstrating that there is still much to be done for industries on cybersecurity aspects. Critical factors that require intervention, according to the Netconsulting report, are particularly training and resources to be allocated for IT security investments. Resources are not always sufficient, although they are growing by more than 12% per year.

Why should you start from the human element in cybersecurity strategies?

At present, a large part of the cybersecurity market focuses on the technical aspects of an attack, while little work is done on the so-called “human element”. This last one plays a central role according to the World Economic Forum’s Global Risk Report, given that risks related to people’s behavior account for almost 95% of the total amount.

Enrico Frumento, Cybersecurity Research Lead at Cefriel, explains: “In cybersecurity people are too often blamed when a cyber incident occurs, as if they were just another source of cyber risk to be dealt with. But people are not computer systems, hence, they need specific solutions. We should start by asking ourselves how a threat analysis can be carried out on people, how a company can calculate the cyber risk related to a person, and how many effective ways there are to reduce it. In general, how can you rethink security starting from the so-called human element. That’s what we thought about when we wrote this white paper.”

What approach should you take to defend and protect your business?

As explored in the white paper, people must be an integral and active part of the corporate defense and protection process, with the ultimate goal of inducing a stable behavioral change in people. To do this, the “human element” issue of cybersecurity needs to be addressed with a multicultural and holistic approach, including the human factor, human sciences, governance and technologies, to ensure sustainable cybersecurity over time both in terms of economics and of technologies, processes, people, and skills.

“Given that the aim of an attacker is always the same,” Frumento explains, “attacking a person instead of an IT system implies a different process that requires the modification of the attack tactics, with the involvement of social engineering and human sciences, such as psychology or behavioural sciences and the theories related to the management and modelling of human errors”.

Social Driven Vulnerability Assessments, like any Vulnerability Assessment or Penetration Test, are an extemporaneous sampling of cyber risk that loses its validity when many variables change. Therefore, we can start from a Human Risk Management model to enter the paradigm of continuous security, starting from people. Taking advantage of this means transforming training from a professional training or retraining tool into a cyber risk reduction tool that can increase the resilience of organizations.

About SEC-AIRSPACE

The EU-funded SEC-AIRSPACE project aims to strengthen air traffic management’s (ATM) resilience by minimising the risks associated with virtualisation and enhancing data sharing among all ATM components and stakeholders. This groundbreaking initiative incorporates cutting-edge cybersecurity components into existing security risk assessment methodologies. Additionally, the project explores the application of people analytics to heighten cybersecurity awareness within ATM organisations. By leveraging two practical use cases involving key stakeholders, SEC-AIRSPACE will validate and showcase its results.

The European research project was launched 1 September 2023, will run for three years, and is led by SINTEF. It is funded by SESAR 3 Joint Undertaking (Single European Sky Air Traffic Management Research) under grant agreement No 101114635.

About CYRUS

The CYRUS project proposes a novel training system, where a complete set of skills to be vigilant, to identify and to respond to cyber-attacks will be delivered. The framework exploits innovative methods for training implementation. Virtualisation-dedicated cyber-range simulations in operational settings and work-based learning will allow timely and efficient course delivery, overcome the current hindrance, and raise interest in the awareness program and good practices.

The European research project was launched 1 January 2023, will run for three years and is led by Deep Blue S.r.l. The funding framework is provided by the European Health and Digital Executive Agency (HaDEA) as part of the European Union’s DIGITAL-2022-TRAINING-02 research and innovation programme under grant agreement No 101100733.

Project partners are: Deep Blue S.r.l. (Italy), Cefriel S.r.l. (Italy), SEARCH-LAB Ltd. (Hungary), G & N Silensec Ltd (Cyprus), The Polish Platform for Homeland Security (Poland), EIT Manufacturing Central gGmbH (Germany), Italienische Handelshammer für Deutschland (Germany), Union Internationale des Chemins de Fer (France), European Federation for Welding, Joining and Cutting (Belgium), Chamber of Halkidiki (Greece), Viesoji Istaiga Lietuvos Inovaciju Centras (Lithuania)

Co-Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Health and Digital Executive Agency (HaDEA). Neither the European Union nor the granting authority can be held responsible for them.

Media contact

Katharina Lange
EIT Manufacturing Central gGmbH
Hilpertstraße 31
64295 Darmstadt
Germany
katharina.lange@eitmanufacturing.eu

For further information about the whitepaper

Sonia Montegiove
Journalist, Head of Marketing and Communication, Cefriel
Email: Sonia.Montegiove@cefriel.com
Mob: + 39 348-4331388