Ira Winkler - You CAN Stop Stupid

Malice has caused loss across every industry, so it is important to recognize that UIL may not always be the result of some type of unintentional action. There is frequently a focus on awareness to stop unintentional UIL, but any security or loss mitigation program that does not also consider and mitigate actions due to intentional UIL will fail. Even though an aware user might be one of your best defenses, an aware user can also be your worst enemy if their intent is to use their awareness against you.

Social engineering is the broad category of attacks typically associated with the computer security field. However, social engineering can take a variety of forms and can be used to facilitate other crimes beyond just computer-based ones. Social engineering can be defined as manipulating an individual to take an action they would not normally take. In the computer field, it is essentially any nontechnical attack to gain access to a computer.

People perceive social engineering as tricking someone into providing them with information or access. In many common scenarios, that is an accurate working definition. This can be achieved through telephone calls, emails, in-person interactions, online chat systems, and so on.

Other forms of social engineering include people essentially sneaking into locations. Dumpster diving, where you literally go through the trash to find useful information, can be considered a form of social engineering. Some people don construction hard hats and reflective vests or utility worker uniforms and walk into a facility. Other people check doors and gates to see if they are locked. Still others try to follow people into facilities through tailgating.

While these tactics can be used to obtain computer access, clearly they can be used for a variety of other types of crimes. A company once tasked us to perform a social engineering simulation to see how outsiders can gain access to a building, because there had been a tragic workplace shooting, where a man had snuck into the building and shot his ex-wife. These things unfortunately can happen.

From a computer attack perspective, social engineering frequently takes the form of phishing, where someone sends a message attempting to get a user to download malware or to disclose login credentials or other useful information.

Sometimes criminals, frustrated with failing to technically hack an organization, will resort to pretext telephone calls attempting to get users to disclose usernames and passwords. Pretext phone calls are also used for a variety of other nefarious purposes to support crimes, such as trying to defraud people for money with fake Microsoft support, claiming the people owe taxes and immediate payment is required, and false claims of needing medical insurance information from the elderly.

Another form of social engineering involves criminals creating USB drives loaded with malware. They place the USB drives in the vicinity of the target and hope that someone from the targeted organization will plug one of them into a computer inside the company. Clearly, this is a hit or miss type of social engineering, but if successful, it can be a very fruitful attack.

The takeaway from our discussion of social engineering is that while insiders may not intend to be malicious, they can be exploited by a malicious outsiders who can obtain insider-level access, both physically and technically. This has to be a critical consideration for any UIL mitigation strategy.

User error is a commonality within most of the other categories in this chapter. Some errors are more consequential than others. Some errors cause loss of life, which is sometimes the case in medical procedures and diagnoses. Other errors cause large losses of money. Many errors cause inconvenience. Some errors have no consequence at all.

In the other categories within this chapter, we assume error to be induced in part by other factors, such as confusing interfaces. In this section, we focus primarily on error due to carelessness or accidents. Users are human beings, and the fact is that they sometimes just make mistakes.

Many people who are overworked, underpaid, or otherwise not treated well are less motivated to avoid making errors. Other people may be distracted for a variety of reasons such as personal issues, medical conditions, lack of sleep, drug use, or similar issues. Sometimes, even good people can feel apathetic, overwhelmed, or pressured. All of this is to be expected. While you hope carelessness is not the norm, its gravity is more dire in some situations than others. Ideally, culture should help to assist in creating more attentiveness in situations where people have to perform at higher levels. Even in less critical situations, you can try to prevent carelessness as much as possible.

We classify accidents as being different than carelessness because even the best people in the best situations will make an error. For example, many users have experienced accidentally deleting a message instead of forwarding it because they mistakenly clicked on the wrong button on an interface, particularly when they encounter an unexpected lag in cursor speed.

Sometimes there can be multiple supposedly legitimate actions to take, and a person makes an error in determining which action is correct. Everyone has made a legitimate mistake while driving. It is assumed that in accounting, even the most attentive accountant makes a mistake.

Whether it occurs through a legitimate accident or carelessness, you must assume that users will make an error. You need to proactively plan for such errors and have audit procedures, warning systems, redundancies, and so on, to ensure that potential errors are mitigated before a loss can be initiated.

NOTEOne of the most common examples of preventing accidental errors is providing a confirmation message that has to be acknowledged prior to the permanent deletion of an email message.

One fundamental aspect of awareness training is that people believe a properly trained user will not make mistakes. The reality is that even with the best training, a user will make fewer mistakes, not no mistakes.

Many people take for granted that common sense will help prevent a lot of mistakes. That might be an overly optimistic assumption. Either way, there can be no common sense without common knowledge. It is critical to ensure that all users are grounded in common knowledge. Training attempts to establish and strengthen this common knowledge.

However, training frequently falls short. Some training provides an adequate amount of knowledge but is short on practical experience. Knowledge without application is short lived. A random piece of information will rapidly dissipate from memory and, without reinforcement, will be quickly forgotten. We explore this further when we discuss the concept of the forgetting curve in Chapter 5, “The Problem with Awareness Efforts.”

Proper training should ensure that users understand what their responsibilities are and how to perform them. Ideally, training also impresses the need for users to be attentive in the performance of their duties. This requires accuracy and completeness in training, as well as motivation.

Some training is grossly inadequate, inaccurate, and irrelevant. In 2019, two Boeing 737 MAX airplanes crashed. There were multiple causes of these incidents, including technology implementation and user error (as will be discussed further in the upcoming “Technology Implementation” section). However, training requirements were also insufficient and led to pilots not knowing how to handle the malfunctioning equipment. While that is an extreme example, failed training plagues all organizations to varying levels.