Phishing and spear phishing, i.e. social engineering, have rendered today’s users defenseless against increasingly sophisticated cyber-attacks. In 2016, the Director of National Intelligence (DNI) reported that 91% of all successful cyber-attacks against the Federal Government in 2015 were enabled by social engineering. In short, 91% of successful cyber-attacks were enabled by users. To complicate matters further, Federal users represent a near 100% cybersecurity trained population, operating within compliance-based cybersecurity programs. If the purpose of cybersecurity programs is to reduce risks, then the DNI metric would suggest a review of such programs may be in order. A logical starting point would be to understand the number one vulnerability: the user.
This presentation provides an overview of two quantitative studies conducted at the Pacific Northwest National Laboratory (PNNL) in 2017. These studies were designed to explore psychological and contextual variables that influence users confronted with cybersecurity challenges and their propensity to comply with policies under those conditions. From these studies, a new, cross-disciplinary approach towards assessing cybersecurity risk began to emerge. Ultimately, these efforts could lead to the development of risk assessment instruments that provide a tailored approach towards understanding organizational risk.