1. Humans are often the weakest link in information security due to errors and intentional actions. The majority of data leaks are caused by human factors like misoperation, failure of information management, and bringing devices out of secure areas. 2. There are various causes of information leaks due to human behavior, including human-targeted cyber attacks using sophisticated techniques, unintentionally bringing devices or data out of secure locations and losing them, accidentally sending sensitive information to unintended recipients, insider crimes for financial or political reasons, and thoughtless sharing of confidential information on social media. 3. Effective measures to prevent data leaks include education to increase security awareness, clear security policies, use of security tools and access controls,

1. Toru Nakata,
Institute of Secure Systems, AIST, Japan.
Aug., 22, 2013.
toru-nakata@aist.go.jp
Human Factors on Information Security
1

2. Human, the weakest link
 Most of data leaking are caused by humans.
 Human factor is also the most dangerous for general
information security matters.
2
Misoperation
35%
Failure of info
management
33%
Lost the devices
14%
Stolen
7%
Brought
out
5%
Insider
Crime
2%
failure of
System
Setting
1%
Illegal
access
1%
Bug
1%
Appropriation
of Data
1%
Warm
0%
Cause of Leak
(From JNSA, 2011 Information Security
Report)

3. Human
Error
Five causes of information leak
3
Intentional
1. Human-Targeted Attack
2. Bringing out or lost of
data media
3. Mistake on sending
data to outside.
4. Insider Crime
5. Thoughtless leak on
Social Networking
Service

4. 1. Human-Targeted Cyber Attack
 The Cyber attackers are becoming bigger and more organized.
 The targets shift to bigger and more focused.
 The arts of attack became more sophisticated and tailored for the particular
target.
4
Individual
Company-level
Country-level
Everyone
Particular
Organization
Particular Person
Human-Targeted
Cracker Group
DOS Attack
Mass Spam

5. Example of targeted attack email
 From Mandiant report.
 The attack is supposed from the Chinese army.
 Personating the president of the company.
 The link leads to download malware.
5
Date: Wed, 18 Apr 2012 06:31:41 -0700
From: Kevin Mandia <kevin.mandia@rocketmail.com>
Subject: Internal Discussion on the Press Release
Hello,
Shall we schedule a time to meet next week?
We need to finalize the press release.
Details click here.
Kevin Mandia

6. Typical Techniques of Trap Mail
 “Help me now ” type
 pretends someone troubled with computer,
 and demands tentative relaxation of security policy.
 “Please tell me the password to open the file.” etc.
 “Police impersonation” type
 commands and controls the victim
 “Open the attachment file. This is demanded by the
information security center.”
 “Ordinary information” type
 pretends unimportant mail.
 “Open the attachment to see spec of the new copy
machine.”
6
Those are not accidental human error, but
sophisticated techniques to reduce human wariness.

7. Prevention of targeted attack
 Equipment countermeasure
 Filteing of email.
 Automatic removal “exe” files
 Countermeasure on Human Management
 Education: “Vaccine Training”
 Information Management: Do not allow accesses to
important data by inadequate personnel.7

8. 2. Bringing-out and lost of equipment
 Why bring out? Why copy files on USB memory?
 Overtime work at home
 Sending big files to customers.
 To convey files to stand-alone equipment.
 Why leaks?
 Lost of USB memory and/or smart phone.
 Attach big strap on such small equipment.
 Smart phones must be protected by passcode.
 Make Password Policy: how to make, share, and retire them.
 Not guarded equipment
 Left as initial setting/password.
 Peeping from side
 Do not open your laptop and smart phone in crowded
place.8

9. 3. Failure on sending the file
 Prepare a clean model file and start the work from it.
 Do not use old file again.
 Some unwanted data may remains.9
Excel files may contain
unwanted sheet.
 Elimination of unintentional
data contained in a Word
file

10. Before and After sending
 Before: Check
Sending address, letter body, and
attachments.
But, email address is not easy to read.
Do not use unreliable methods
  Broadcast mail with hiding receivers’ mail
address listed in “BCC”
  Using mail as file sending machine too
much.
After: Cancelation of wrong mail
 Some new mail system can do this.10

11. 4. Insider Crime: Information Theft
 To sell and get money.
 To protect oneself from company authority
 Secret documents described in movie “Erin Brockovich”
 By personal belief and/or political reason
 Wikileaks, etc.
 By selfish reason (but not spy-like crime)
 (From Symantec and Ponemon Report “Data Loss Risks
During Downsizing -- As Employees Exit, so does Corporate
Data”, 2009)
 “Employees are stealing data and are more likely to do so
when they don’t trust their employer.”
 “Employees are stealing proprietary and confidential data
that might affect their former company’s business
competitiveness and could result in a data breach.”11

12. 5. Thoughtless leaks on SNS
 Tweet of confidential information about the job.
 Writing disgraceful matter in the company.
 Writing important news not knowing that is important.
 Leak preceding offical press release, etc.
 Why write?
 SNS seem a small networks of one’s friends.
 But, SNS are actually worldwide and open.
 In SNS, one can play it as almost anonymous.
 But, it is very easy to detect your identity from records of
your anonymous account.
12

13. Leakage from Cognitive Gap
Subordinate's view
“This info is
important.”
“It is not
important.”
Boss’s
View
“This info is
important.”
<Locked Door>
This info is dealt as
property.
<Door of Rumor>
This info is easy to
be leaked.
“It is not
important.”
<Glassed-In Door>
This info is used
without correct
permission.
<Free Door>
This info remain
neglected until
analysis technology
is invented.
13
Two doors of cognitive discord are
main routes of data loss and leak.

14. Provisions against Data Leakage
 Countermeasure on Equipment
 Security software and hardware are already prepared for
typical and ordinary patterns.
 On Individuals
 Awareness of danger is required for every employee.
 Clear policy, reasonable procedure, and kind education.
 On Organization: Security policy
 You cannot have everything: Usability vs. Security.
 Security is matter of choice.
 Company Policies of password, BYOD, cloud service
etc.
 Do not left the policies for individual employee.
14