Blunting The Phisher's Spear: A Risk-Based Approach for Defining User Training and Awarding Administrative Privileges

by Arun Vishwanath
Sept. 15, 2017 1 comment belen_caty Detection & Response

We propose a radical change to this "one-size-fits all" approach. Recent human factors research the Suspicion, Cognition, Automaticity Model (SCAM) [1]identifies a small set of factors that lead to individual phishing victimization. Using the SCAM, we propose the development of an employee Cyber Risk Index (CRI). Similar to how financial credit scores work, the CRI will provide security analysts the ability to pinpoint the weak-links in organizations and identify who is likely to fall victim, who needs training, how much training, and also what the training should focus on. The CRI will also allow security analysts to identify which users get administrative access, replacing the current mostly binary, role-based apportioning method, where individuals are given access based on their organizational role and responsibilities, with a system that is based on individuals' quantified cyber risk propensity.

Steven Ulm 5 months, 4 weeks ago

Finally, I am happy to read about SCAM :) Leaving the joke aside, really good presentation! Well researched!