CSIAC

Cyber Security and Information Systems Information Analysis Center

/ All Podcast Series / / Phishing for Solutions: Are Cybersecurity Compliance Based Programs Working?

- Phishing for Solutions: Are Cybersecurity Compliance Based Programs Working?

| Presenter: Dr. Terry R. Merz, CISSP, CISM | 2 Comments

Notice: This podcast video may contain personal or third-party views and opinions not associated with the government.
Please see our terms of use located here: https://www.csiac.org/csiac-terms-of-use/

Phishing and spear phishing, i.e. social engineering, have rendered today’s users defenseless against increasingly sophisticated cyber-attacks. In 2016, the Director of National Intelligence (DNI) reported that 91% of all successful cyber-attacks against the Federal Government in 2015 were enabled by social engineering. In short, 91% of successful cyber-attacks were enabled by users. To complicate matters further, Federal users represent a near 100% cybersecurity trained population, operating within compliance-based cybersecurity programs.  If the purpose of cybersecurity programs is to reduce risks, then the DNI metric would suggest a review of such programs may be in order. A logical starting point would be to understand the number one vulnerability: the user.

This presentation provides an overview of two quantitative studies conducted at the Pacific Northwest National Laboratory (PNNL) in 2017. These studies were designed to explore psychological and contextual variables that influence users confronted with cybersecurity challenges and their propensity to comply with policies under those conditions. From these studies, a new, cross-disciplinary approach towards assessing cybersecurity risk began to emerge. Ultimately, these efforts could lead to the development of risk assessment instruments that provide a tailored approach towards understanding organizational risk.

Download Associated Files:
You must be logged in to download files associated with this video podcast. Click here to login.

Presenter

Dr. Terry R. Merz, CISSP, CISM
Dr. Terry R. Merz, CISSP, CISM
Dr. Merz is a Senior Research Scientist at the Pacific Northwest National Laboratory (PNNL). She holds a Doctorate and Masters in Computer Science, with a concentration in Information Assurance from Colorado Technical University, and a Bachelor of Science in Information Management from the University of Maryland. Dr. Merz has 17+ years of cybersecurity experience in the areas of systems and cybersecurity engineering, research, cybersecurity testing (Blue/Red Team testing), and management. In her roles as a Fully Qualified Navy Validator, and an Information Systems Security Engineer on behalf of the National Security Agency, Dr. Merz focused on vulnerability testing, and the design of mitigations for enterprise architectures. In addition to security engineering and vulnerability testing, Dr. Merz spent several years in the area of cyber incident response. These activities included incident response to Advanced Persistent Threats (APT) on ICS/SCADA for the Navy. From 2014 onward, her specific area of research became the study of APT’s and the life cycle thereof. These studies included responses to such threats, such as the development of cyber resilient tactics, techniques and procedures, as well as first responder detection techniques. For 2 years, Dr. Merz conducted research in the area of software-enabled devices (System of Systems), Zero Day vulnerabilities relative to software-enabled devices, and the development of resiliency tactics, techniques and procedures for software-enabled devices. While conducting applied research on APT’s and specifically Zero-Day attacks, Dr. Merz included Behavioral INFOSEC into her research areas.

Reader Interactions

Ask a Question or Comment:

  1. To Dr Merz,
    Thank you for your ‘Phishing for Solutions ‘ webinar which I was able to watch belatedly. As one more focused with the behavioral science aspect, I agree with the development of a risk tool which would assess one’s vulnerability to phishing/spear-phishing attacks, but am concerned that this will entail privacy issues hindering enduser cooperation if evaluated on the depth of the individual-relationship context as a separate post-Domain entry self-assessment test . Could this risk tool (upon development) already be integrated with the domain upon allowing the enduser’s entry? Thanks,

    • HI,

      Thank you for the comment. Great question by the way. Privacy is definitely a concern. To answer your question, I need to get a little more clarity around your question: can you elaborate on what is meant by “separate post-Domain entry self-assessment test”?

      Also, Just so we’re coordinated, the domains are contextual parameters that allow the grouping of context variables. For example the Organization’s domain would include variables such as policies, mission, technology, location etc..

      So, the risk took wouldn’t integrate with a domain. The risk tool would evaluate which context variables within each of the contextual domains is affecting a given event. Does that make sense?

      Thanks!
      Terri

Leave a Comment