Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Cybersecurity: how to involve people in risk mitigation?

July 2024 by Cefriel

As part of the European projects CYRUS and SEC-AIRSPACE, Cefriel, a digital innovation center founded by Politecnico di Milano, published the new white paper "Cyber Security and the Human Element - Risks and mitigation interventions, starting from people". The text - by Enrico Frumento, Cybersecurity Research Lead at Cefriel - explains why people are required to become aware of their role in corporate defense and protection mechanisms and how to intervene so that they can actively participate in the prevention and mitigation of cyber-attacks.

The emerging threat related to artificial intelligence is accompanied by some gaps in cyber management that have not been fully filled yet, especially in the supply chain and OT and IoT environments. The comparison between the level of maturity in the various sectors and the percentage of cyber-attacks recorded in Europe and Italy in the first half of 2023 indicates that the Public Administration sector is still the most affected by cyber-attacks, recording 19% of attacks in Italy and 23% in Europe. Also significant is the number of attacks suffered by the industry sector (17%), which is more than double the European average (7%), demonstrating that there is still much to be done for industries on cybersecurity aspects. Critical factors that require intervention, according to the Netconsulting report, are particularly training and resources to be allocated for IT security investments. Resources are not always sufficient, although they are growing by more than 12% per year.

Why should you start from the human element in cybersecurity strategies?
At present, a large part of the cybersecurity market focuses on the technical aspects of an attack, while little work is done on the so-called "human element". This last one plays a central role according to the World Economic Forum’s Global Risk Report, given that risks related to people’s behavior account for almost 95% of the total amount.
Enrico Frumento, Cybersecurity Research Lead at Cefriel, explains: "In cybersecurity people are too often blamed when a cyber incident occurs, as if they were just another source of cyber risk to be dealt with. But people are not computer systems, hence, they need specific solutions. We should start by asking ourselves how a threat analysis can be carried out on people, how a company can calculate the cyber risk related to a person, and how many effective ways there are to reduce it. In general, how can you rethink security starting from the so-called human element. That’s what we thought about when we wrote this white paper."

What approach should you take to defend and protect your business?
As explored in the white paper, people must be an integral and active part of the corporate defense and protection process, with the ultimate goal of inducing a stable behavioral change in people. To do this, the "human element" issue of cybersecurity needs to be addressed with a multicultural and holistic approach, including the human factor, human sciences, governance and technologies, to ensure sustainable cybersecurity over time both in terms of economics and of technologies, processes, people, and skills.
"Given that the aim of an attacker is always the same," Frumento explains, "attacking a person instead of an IT system implies a different process that requires the modification of the attack tactics, with the involvement of social engineering and human sciences, such as psychology or behavioural sciences and the theories related to the management and modelling of human errors”.

Social Driven Vulnerability Assessments, like any Vulnerability Assessment or Penetration Test, are an extemporaneous sampling of cyber risk that loses its validity when many variables change. Therefore, we can start from a Human Risk Management model to enter the paradigm of continuous security, starting from people. Taking advantage of this means transforming training from a professional training or retraining tool into a cyber risk reduction tool that can increase the resilience of organizations.

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts