BLOG

Resources for Educators
& Professionals

 

When It Comes to Cybersecurity, People are the Weakest Link—Unless We Educate Them

by  Rod Davis     May 25, 2023
instructor_red_sweater

It is safe to say that if one can build a 9-foot wall to protect an environment, an adversary is simultaneously constructing a 10-foot ladder to scale it. This is the consistent dilemma that cybersecurity professionals face today, and this will not change in the foreseeable future.

Building this proverbial wall consists of a variation of cyber controls that focus on administrative, corrective, detective, and preventative approaches to mitigate risk. One consistent vulnerability that spans across all control categories is the human element. Read on to learn how to combat cyber threats through great education and the right tools.

Creating a Culture of Cybersecurity Educational Reinforcement

According to the Center for Internet Security, the following are 18 Critical Security Controls that need to be implemented to mitigate cyber, and technology risk, regardless of the industry:

1.        Inventory and Control of Enterprise Assets

2.        Inventory and Control of Software Assets

3.        Data Protection

4.        Secure Configuration of Enterprise Assets and Software

5.        Account Management

6.        Access Control Management

7.        Continuous Vulnerability Management

8.        Audit Log Management

9.        Email and Web Browser Protections

10.      Malware Defenses

11.      Data Recovery

12.      Network Infrastructure Management

13.      Network Monitoring and Defense

14.      Security Awareness and Skills Training

15.      Service Provider (Vendor) Management

16.      Application Software Security

17.      Incident Response Management

18.      Penetration Testing

While it’s important to educate students that firewalls, identity access management, data loss prevention, zero trust, multi-factor authentication, etc., can effectively bolster an organization’s security posture, item number 14 from the list above (Security Awareness and Skills Training) is probably the most important control to emphasize.

This is where educators play a major role. This control is directly correlated to educating individuals on identifying and deciphering when something just doesn’t look right and taking the appropriate actions to, you guessed it, mitigate risk.

One could argue that security awareness training should provide an element of risk management training focusing on basic risk concepts. In other words, having a keen eye to quickly ascertain the residual risk and impact if something just doesn’t look right. At first glance, individuals would immediately assess the impact of a threat that goes unaddressed, or untreated without controls (i.e., the inherent risk). However, this is not just applicable to cyber professionals, but also to non-cyber experts, C-Level Executives, board members, parents, children, educators, students, and business owners. Basically: all people regardless of their background.

The incorporation of risk management within cybersecurity curriculums can essentially lead to a culture of cybersecurity professionals that educate each other (iron sharpens iron) as well as their business partners and clients; the latter is where cybersecurity education is needed most.

When students embark on their respective cyber careers, they will need to be aware of the various technical controls, vulnerabilities, and threats that jeopardize confidentiality, integrity, and availability of data. However, they should also be keenly aware that one person (regardless of their background, education, or system access) can cause immense havoc by not understanding how to properly implement and monitor these controls.

Additionally, from a human threat perspective, cyber professionals should be able to see the smoke before the fire, identify repeat offenders of incidents issues, and near misses, or simply have the ability to identify someone that is having a bad day and looking to cause a disruption.

The Threat Landscape is Constantly Growing

According to Worldometer, a site that provides real-time metrics of the world’s population, there are over 8 billion people in the world as of May 2023. Now, let's normalize this number to, let's say, 5 billion to remove young children and individuals without access to the internet. With that in mind, let’s take a look at another statistic: the average number of devices and connections per person worldwide (regionally, and globally), according to Statista.

It’s interesting to see the breakdown by region, but let’s focus on the Global category for now. Using our estimate of 5 billion “connected” individuals, multiplied by 3.6 devices per person, that is approximately 18 billion connections! It’s also important to note a few constants:

  • The population is growing;
  • The number of individuals connecting to the internet is growing;
  • The number of devices connecting to the Internet is growing.

This data should emphasize the following facts:

  • There will always be a growing need for cybersecurity professionals;
  • The or gap between cyber-aware individuals, and non-cyber-aware individuals will continue to widen;
  • The threat landscape for non-cyber-aware individuals will continue to expand.

Education is the Most Powerful Weapon to Combat Cyber Threats

It is important for those in cybersecurity education roles to know these data points. Not only should you educate students, but you should teach them how to educate others by incorporating risk management disciplines. Here are two suggestions to consider for your cybersecurity education material:

  1. Incorporate elements of risk management into your courses or curriculums. This will allow students to not only focus on the technical controls but also on the human/enterprise/business side of risk.
  2. Encourage students to look at data and trends, mainly key risk indicators (KRIs), key performance indicators (KPIs), and key control indicators. From an analogical perspective:
    • KRIs would be the equivalent of smoke detectors indicating that a fire could start;
    • KPIs would be the equivalent of monitoring the strength of the batteries in the smoke detector;
    • KCIs would be equivalent to monitoring the strength of the batteries in the smoke detector (i.e., monitoring for that annoying beep when the batteries are low).

Until technology and cyber controls can replicate and detect the emotions and actions of all people, there will always be a need for human intervention and cyber education.  More importantly, education with a risk focus will be key as students are instructed on how to continuously reconstruct the virtual wall of cyber controls as protection against adversaries that are simultaneously building threat ladders to compromise confidentiality, integrity, and availability.

Cybersecurity Cloud Labs provides fully immersive mock IT infrastructures with live virtual machines and real software, where students will learn and practice the foundational information security skills they will need to excel in their future careers. Unlike simulations, these hands-on virtual labs reproduce the complex challenges of the real world, without putting an institution’s assets at risk.

Schedule Your Cloud Labs Demo

About the Author:

Rodney F. Davis is an adjunct professor at Syracuse University’s College of Professional Studies where he teaches courses focused on Enterprise Risk Management, Cybersecurity, Networking, Forensic Accounting (Fraud Prevention), and Vendor Risk Management. Rod has a total of 29 years professional experience, 27 of which are focused on operational risk, regulatory oversight, technology, and cyber security within the financial services industry. Rod is also a member of an international team of cyber risk professionals responsible for creating and approving certification exam items for ISACA (Information Systems Audit and Control Association).

Related Content:

Stay Connected

Categories

Clear

Search Blogs

Featured Posts

When It Comes to Cybersecurity, People are the Weakest Link—Unless We Educate Them

by  Rod Davis     May 25, 2023
instructor_red_sweater

It is safe to say that if one can build a 9-foot wall to protect an environment, an adversary is simultaneously constructing a 10-foot ladder to scale it. This is the consistent dilemma that cybersecurity professionals face today, and this will not change in the foreseeable future.

Building this proverbial wall consists of a variation of cyber controls that focus on administrative, corrective, detective, and preventative approaches to mitigate risk. One consistent vulnerability that spans across all control categories is the human element. Read on to learn how to combat cyber threats through great education and the right tools.

Creating a Culture of Cybersecurity Educational Reinforcement

According to the Center for Internet Security, the following are 18 Critical Security Controls that need to be implemented to mitigate cyber, and technology risk, regardless of the industry:

1.        Inventory and Control of Enterprise Assets

2.        Inventory and Control of Software Assets

3.        Data Protection

4.        Secure Configuration of Enterprise Assets and Software

5.        Account Management

6.        Access Control Management

7.        Continuous Vulnerability Management

8.        Audit Log Management

9.        Email and Web Browser Protections

10.      Malware Defenses

11.      Data Recovery

12.      Network Infrastructure Management

13.      Network Monitoring and Defense

14.      Security Awareness and Skills Training

15.      Service Provider (Vendor) Management

16.      Application Software Security

17.      Incident Response Management

18.      Penetration Testing

While it’s important to educate students that firewalls, identity access management, data loss prevention, zero trust, multi-factor authentication, etc., can effectively bolster an organization’s security posture, item number 14 from the list above (Security Awareness and Skills Training) is probably the most important control to emphasize.

This is where educators play a major role. This control is directly correlated to educating individuals on identifying and deciphering when something just doesn’t look right and taking the appropriate actions to, you guessed it, mitigate risk.

One could argue that security awareness training should provide an element of risk management training focusing on basic risk concepts. In other words, having a keen eye to quickly ascertain the residual risk and impact if something just doesn’t look right. At first glance, individuals would immediately assess the impact of a threat that goes unaddressed, or untreated without controls (i.e., the inherent risk). However, this is not just applicable to cyber professionals, but also to non-cyber experts, C-Level Executives, board members, parents, children, educators, students, and business owners. Basically: all people regardless of their background.

The incorporation of risk management within cybersecurity curriculums can essentially lead to a culture of cybersecurity professionals that educate each other (iron sharpens iron) as well as their business partners and clients; the latter is where cybersecurity education is needed most.

When students embark on their respective cyber careers, they will need to be aware of the various technical controls, vulnerabilities, and threats that jeopardize confidentiality, integrity, and availability of data. However, they should also be keenly aware that one person (regardless of their background, education, or system access) can cause immense havoc by not understanding how to properly implement and monitor these controls.

Additionally, from a human threat perspective, cyber professionals should be able to see the smoke before the fire, identify repeat offenders of incidents issues, and near misses, or simply have the ability to identify someone that is having a bad day and looking to cause a disruption.

The Threat Landscape is Constantly Growing

According to Worldometer, a site that provides real-time metrics of the world’s population, there are over 8 billion people in the world as of May 2023. Now, let's normalize this number to, let's say, 5 billion to remove young children and individuals without access to the internet. With that in mind, let’s take a look at another statistic: the average number of devices and connections per person worldwide (regionally, and globally), according to Statista.

It’s interesting to see the breakdown by region, but let’s focus on the Global category for now. Using our estimate of 5 billion “connected” individuals, multiplied by 3.6 devices per person, that is approximately 18 billion connections! It’s also important to note a few constants:

  • The population is growing;
  • The number of individuals connecting to the internet is growing;
  • The number of devices connecting to the Internet is growing.

This data should emphasize the following facts:

  • There will always be a growing need for cybersecurity professionals;
  • The or gap between cyber-aware individuals, and non-cyber-aware individuals will continue to widen;
  • The threat landscape for non-cyber-aware individuals will continue to expand.

Education is the Most Powerful Weapon to Combat Cyber Threats

It is important for those in cybersecurity education roles to know these data points. Not only should you educate students, but you should teach them how to educate others by incorporating risk management disciplines. Here are two suggestions to consider for your cybersecurity education material:

  1. Incorporate elements of risk management into your courses or curriculums. This will allow students to not only focus on the technical controls but also on the human/enterprise/business side of risk.
  2. Encourage students to look at data and trends, mainly key risk indicators (KRIs), key performance indicators (KPIs), and key control indicators. From an analogical perspective:
    • KRIs would be the equivalent of smoke detectors indicating that a fire could start;
    • KPIs would be the equivalent of monitoring the strength of the batteries in the smoke detector;
    • KCIs would be equivalent to monitoring the strength of the batteries in the smoke detector (i.e., monitoring for that annoying beep when the batteries are low).

Until technology and cyber controls can replicate and detect the emotions and actions of all people, there will always be a need for human intervention and cyber education.  More importantly, education with a risk focus will be key as students are instructed on how to continuously reconstruct the virtual wall of cyber controls as protection against adversaries that are simultaneously building threat ladders to compromise confidentiality, integrity, and availability.

Cybersecurity Cloud Labs provides fully immersive mock IT infrastructures with live virtual machines and real software, where students will learn and practice the foundational information security skills they will need to excel in their future careers. Unlike simulations, these hands-on virtual labs reproduce the complex challenges of the real world, without putting an institution’s assets at risk.

Schedule Your Cloud Labs Demo

About the Author:

Rodney F. Davis is an adjunct professor at Syracuse University’s College of Professional Studies where he teaches courses focused on Enterprise Risk Management, Cybersecurity, Networking, Forensic Accounting (Fraud Prevention), and Vendor Risk Management. Rod has a total of 29 years professional experience, 27 of which are focused on operational risk, regulatory oversight, technology, and cyber security within the financial services industry. Rod is also a member of an international team of cyber risk professionals responsible for creating and approving certification exam items for ISACA (Information Systems Audit and Control Association).

Related Content:

Tags

Clear