@ISACA Volume 12  13 June 2018

Security Awareness and the Bystander Effect

By Jack Freund, Ph.D., CISA, CRISC, CISM

Years ago, I remember taking my first cardiopulmonary resuscitation (CPR) training course. One of the things I learned that stuck with me was the importance of pointing to an individual in the crowd and instructing that person to call 911 (the US emergency services number) before beginning compressions and breaths. The reason for this is to create a sense of obligation for that person to be accountable for the severity of the situation. This helps combat the bystander effect, an effect that describes that in a large group of people, our feelings of individual accountability drop precipitously (called diffusion of responsibility).

In large enterprises with dedicated security departments, it is easy to see security apathy permeate the organization. Security professionals combat this by using trite expressions such as “security is everyone’s job,” except, of course, no one thinks internal audit, accounting or human resources is everyone's responsibility. Indeed, we in the security function invest a lot of money into security tools that help to automate human intervention out of the role of security. This investment is a natural business decision in the substitution of capital for labor; there is simply no way that one can hire enough staff to manage all the event and incident queues, risk assessments, audit, and regulatory matters that a modern information security department demands.

It is precisely this automation that makes it difficult to address the diffusion of responsibility problem. Indeed, we have trained our organizations to anticipate that security is already “baked in.” This is one of the reasons that phishing and spear phishing still remain top attack vectors. It is at this point that all that automation is actually a detriment to our security posture as it invites the bystander effect from our employees. Indeed, with so much screening, monitoring and filtering, it is reasonable that an average, non-IT employee can expect that any email they receive is legitimate. After all, so much automation can lull that employee into feeling genuine diffusion of responsibility.

Sociologists have shown that it is possible to successfully break through the bystander effect with what they call accountability cues. These are visual or audible cues that trigger the employee to feel personally accountable for the actions they will or will not be taking. Well-designed accountability cues help an employee to shed feelings of anonymity and offer to help.

Returning to phishing, for example, software-based interventions can be modified to include accountability cues. Some simple solutions are to include messages that ask the employee by name to disposition an email as phishing or not if the phishing score is indeterminate. Score-based systems that allow an employee to see their “insider risk score” and the actions they took that caused it to rise or fall are also good cues. Making employees accountable for these kinds of scores in their social circles creates positive peer pressure and further accountability. An insider threat score could be based on such factors as anti-phishing training emails they clicked on, completion of privileged access training, data loss prevention (DLP) violations, downloaded files and proxy violations. Creating dashboards where a team can view their scores alongside their peers can help eliminate any anonymity people may harbor for their actions (or lack thereof).

As we continue to automate mundanity out of security operations, threat management, and endpoint protection and response, we must continue to pay attention to the social context in which these technologies are being deployed. The human factors of information security cannot be overlooked. You can be certain your attackers will not ignore them.

Jack Freund, Ph.D., CISA, CRISC, CISM, is director of cyberrisk management for TIAA, member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award winner.


Webinar: Post-GDPR Spreadsheet Controls


Source: Pe3check;
Getty Images

Risk associated with spreadsheets and other end-user computing is not new, but the EU General Data Protection Regulation (GDPR) has raised the penalty for ineffective controls. Achieving GDPR compliance by the 25 May 2018 deadline required enterprises to focus on core enterprise systems and processes, often overlooking end-user-controlled (EUC) files and unstructured data. Now is the time to address this risk and avoid becoming another news headline about data loss and/or material errors related to spreadsheet use.

To learn more about EUC risk, ISACA and CIMCON Software present the “More Effective Spreadsheet Controls in a New GDPR World” webinar. This webinar will help you determine and identify the enterprise’s spreadsheet/EUC risk, automate more effective EUC controls, mitigate breach risk and protect sensitive data housed in EUC files. This webinar takes place on 14 June at 11AM CST (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Craig Hattabaugh, chief executive officer of SIMCON Software, LLC, will lead the webinar. He will use his more than 25 years of software industry experience to help your enterprise reduce the inherent risk associated with EUC.

To learn more about this webinar or to register for it, visit the More Effective Spreadsheet Controls in a New GDPR World page of the ISACA website.


Virtual Summit on the State of Cybersecurity


Join IS and IT professionals and experts for a dynamic discussion of today’s cybersecurity challenges, opportunities and trends. ISACA’s free virtual summit on the state of cybersecurity is a half-day event featuring live presentations and opportunities to connect with peers worldwide. It aims to inspire and inform you so you can help secure the future in your role as an in-demand cybersecurity professional. You will also:

  • Gain expert insight and recommendations to improve your organization’s cybersecurity.
  • Engage with a panel of top professionals in a round-table discussion centered on cybersecurity, threat environments, and controls and countermeasures.
  • Earn up to 4 free continuing professional education (CPE) hours.

ISACA, Adobe and Deloitte present the 2018 Virtual Summit: State of Cybersecurity. The event takes place on 26 June at 9AM CDT (UTC -5 hours), and ISACA members can earn CPE hours by attending the summit.

To learn more about this event or to register for it, visit the 2018 Virtual Summit: State of Cybersecurity page of the ISACA website.


Opt in Now to Continue ISACA Journal Print Delivery


Source: hocus focus;
Getty Images

While ISACA is putting an increased focused on digital delivery of the ISACA Journal, it is important to us that you receive the ISACA Journal in the format that works best for you and how you prefer to read. Regardless of how you choose to read it, the ISACA Journal will continue to deliver practical, actionable information, thought leadership, industry insights and research to a diverse audience of business and IT professionals and practitioners. If you prefer to receive a physical copy of the ISACA Journal, opt in by 26 June for uninterrupted delivery of the printed edition. To opt-in to receive the print edition, follow these simple steps:

  1. Log into the myISACA section of the ISACA website.
  2. Click on the myProfile tab, selecting the Account-Address-Demographic tab.
  3. Click Edit and select the My Demographic and Other Information tab.
  4. Check the box to opt in under the ISACA Journal Delivery Options—Print and/or Digital section.
  5. Click Save at the bottom of the page.

Online Journal access allows readers to view content in a more dynamic, interactive format. In addition to access to online-exclusive feature articles, Practically Speaking (the ISACA Journal blog) posts and ISACA podcasts, readers can search by subject and author, find related resources, and access archived issues. You can also explore the Journal alongside ISACA’s broad range of other knowledge resources online.

The ISACA Journal continues to evolve to meet the needs and interests of practitioners as it has for the last 40 years and continues to remain committed to connecting you and the entire ISACA professional community with valuable content in the digital age.


Security Considerations for Smart Cities


New ISACA research on smart cities highlights several key areas of security consideration that relate to potential attacks to cities’ critical infrastructure. Global survey respondents consider the energy, communications and financial services sectors to be the critical infrastructure systems most susceptible to cyberattacks. Malware/ransomware and denial of service are viewed as the most concerning types of smart infrastructure attacks.

Despite the related security concerns, integrating connected technologies can help cities operate more efficiently while expanding and improving the quality of city services. Few cities are effectively communicating those benefits to residents, according to ISACA’s research.

For more information on ISACA’s smart cities research and to view related resources, including an advocacy position paper, visit the Smart Cities: New Threats and Opportunities page of the ISACA website.


Reflect on Your Past, Present and Future With ISACA for the 50th and Beyond


As ISACA prepares to celebrate its 50th anniversary next year, ISACA would love to hear about your history with the organization and how you envision your bright future with it. How did you find your niche at ISACA after you first joined? How has the association helped in your career journey? What are your hopes for ISACA as the organization moves forward? Share your thoughts and any photos, videos or other historical documents on ISACA’s anniversary website with #ISACA50.