​​​Editor's Note: ​The Human Factor​

Comments Views

I’m a big fan of the TV series Westworld. For those who haven’t seen it, HBO’s science fiction thriller takes place in a Western-themed, no-holds-barred amusement park where guests interact with lifelike robotic hosts. The show’s many plot twists keep viewers guessing, though eventually we learn there’s much more going on than just gun fights and pleasure seeking. The park’s creators have been quietly taking advantage of guests to carry out a hidden agenda. And while the plan relies in part on Westworld’s futuristic technology, one of its main tools is simple human deception.

Beyond the realm of fiction, of course, people’s susceptibility to deception and manipulation is a real-world concern for organizations — particularly when it comes to cybersecurity. With a phone call, email, social media exchange, or in-person conversation, skilled social engineers can gain the trust of their victims to commit fraud or other organizational crimes. And as Kimberly Hagara, vice president, Audit Services, at University of Texas Medical Branch, notes in “Pulling Strings,” the attackers are becoming increasingly sophisticated. “Now the tactics are much more trust-based,” she says. “Getting into an organization or a system relies more on human interaction.”

In some cases, the attackers leverage systems access to hold the organization’s data hostage. Their success depends not only on malicious software, known as ransomware, but often on the perpetrators’ ability to deceive. According to a recent survey by security firm SentinelOne, nearly 70 percent of successful ransomware attacks in 2017 resulted from hackers gaining access to enterprise networks by phishing via email or social media. 

In our cover story, “Held Hostage,” author Arthur Piper examines the risk of ransomware, how to respond to an attack, and considerations for prevention and detection. The article also stresses that employees often represent the greatest vulnerability to these types of attacks. With that in mind, risk management advice includes ensuring training is provided to all personnel and that policies on responding to ransomware incidents have been well-communicated.

Cyberattacks don’t have to be high-tech to present a real threat. Despite all the sophisticated tools available for carrying out an attack, crafty perpetrators can weasel their way through even the best defenses with simple techniques that exploit human psychology. Ironically, in the age of artificial intelligence and advanced digital security, preventing cybercrime often comes down to a deeper understanding of nontechnological, human factors. The weakest link in the security chain is often the employee who opens the door, physical or virtual, to an intruder. And when that happens, to borrow from Westworld’s season two tag line, “chaos takes control.”​

David Salierno
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



David SaliernoDavid Salierno<p>David Salierno is <em>Internal Auditor</em> magazine's managing editor.​</p>https://iaonline.theiia.org/authors/Pages/David-Salierno.aspx


Comment on this article

comments powered by Disqus
  • IDEA_CaseWare_May 2020_Blog 1
  • Galvanzie_May 2020_Blog 2
  • IIA CIA LS_May 2020 Blog 3