User-Centric Security

Security Threat Landscape

This section describes an overview of assets in Domain 6 on User-centric security. Here the term users refers to human users of information technologies in a professional context. We do not include software systems mimicking human users (e.g., bots, autonomous agents) and also, in the classification of security threats and attack samples, we exclude home users engaging in recreational personal usage of information technologies. Rather, we specifically categorize assets according to a typical industrial scenario and, equally, threats as perceived from a company’s perspective. In general, users may have the double role of perpetrator of a threat (e.g., a threat is carried out by human actions) or victims (e.g., individuals are the asset targeted by a threat). Therefore, what should be reasonably included in the user-centric security domain? Individuals as perpetrators or as victims? There is not a clear-cut answer, especially considering that users as perpetrators of security violations are necessarily considered in other domains too, and several semi-automated attack vectors, such as botnets, are operated by humans. Furthermore, humans are responsible for all kinds of cybercrimes, in the end, even social bots used in frauds have been designed by humans and provide illicit benefits to some humans. The same for humans as victims. For most security incidents, the consequences are likely to impact humans. Systems experiencing downtime, malicious applications, compromised IoT networks likely have a negative impact on human activities. Therefore, some more stringent criteria should be adopted.

Assets

Assets can be categorized into 3 different classes as follows:

  • Internal/affiliated – This class group asset categories that typically reflect the roles of individuals in the company. The four categories have clear distinct features: whether or not they are mostly a victim of targeted attacks, the odds to be involved in security incidents or to be responsible for insider threats and so on.
  • External – External assets are both individuals and legal person, and represents the stakeholders not included in the company’s operations and processes. They are the customers and the suppliers, and those representing different interests, like the owners/shareholders, legal authorities and agencies, and the local community and country.
  • Intangible – With this last class, we include two important intangible assets (i.e., neither referred to internal nor external assets), namely the financial market and the public opinion. Both are meta-entities that exert an important role for a company and could possibly be influenced by the consequence of security incidents.  

Internal/affiliated assets can be summarized as follows:

  • Directors/C-level – It includes the higher ranked people in an organization/company, those typically with decisional authority, for example, to green-light purchases or expenditures (e.g., wire transfers, etc.), and with knowledge of sensitive/key business or financial information (e.g., S&A, partnerships, contract signing, etc.). Targeted attacks to these apical positions are the norm.
  • Employees/non-ICT – It includes common employees and mid-level managers not specifically trained or experiences with ICT threats and incidents. This category usually turns out in the statistics as more likely to be victims of security incidents (e.g., phishing, pretexting, ransomware, social engineering, etc.). In special cases, common employees might be in critical roles, for the information or privileges they have (e.g., staff personnel), and for this reason victims of targeted attacks.
  • Employees/ICT – It includes common employees and mid-level managers specifically trained or experiences with ICT threats and incidents. This category should be less exposed to common cybersecurity threats and better informed. However, in this category, there are key professional roles (e.g. system, database, or network administrator) possibly victims of targeted attacks or, on the opposite, representing the most common source of insider threats.
  • Consultants/contractors/business partners – It includes all non-employed personnel with some form of access privilege to the company’s assets. It is a heterogeneous category, which, depending on the specific role, may share characteristics with non-ICT or ICT employees.

External assets can be summarized as follows:

  • Suppliers – Suppliers represent an asset for a company because the failure of the supply chain could produce severe consequences. Therefore, an attack on one or more suppliers may provoke the disruption of the supply chain or other commodity services (e.g., energy distribution). On the other side, an attack on the company may have as a cascading effect on suppliers’ equipment or process, with possible liability. Users to consider is, for these reasons, also suppliers’ personnel, which may propagate to the company the effect of a human error or a cybercrime they have suffered, or, vice versa, if the error or the cybercrime have been committed in the company’s premises.
  • Customers/user base – Customers are evidently one of the primary User-related assets for a company. Failing to deliver a service, interruption of the production, downtime of online availability and presence, loss of reputation, perceived quality drop, unethical behavior and so forth may threaten the loyalty of the user base/customers, with unpredictably catastrophic consequences.
  • Authorities/agencies/institutions/unions – In this category, users are mostly legal persons, but nevertheless they are stakeholders with respect to a company. Liabilities, breaches of law and regulations, breaches of employers’ rights or contractual obligations are some of the possible consequences of an IT incident.
  • Owners/shareholders – Owners and shareholders are obviously stakeholders whose interests a company’s management largely depends on. The owners and shareholders are assets to be protected also from adversarial market manipulation strategies, including smear campaigns and disinformation on social media.
  • Local/regional/national community – This category includes the environment where a company operates, being it the local community, the region, the country or a supra-national body (e.g., the European Union, the federal state). In all cases, the company very likely has a social responsibility with respect to public investments that have favored the company (e.g., infrastructural investments, subsidies to sustain the occupation, etc.) and with respect to the families and the communities of its employees.

Intangible assets can be summarized as follows:

  • Market evaluation/share – This category represents the financial system (i.e., “the market”) from which a company depends. The adverse effects of a security incident could easily affect the company’s market value.
  • Public opinion/reputation – The public opinion and in general the company’s reputation are assets to protect from security incidents, which may lead to a loss of credibility for the company, bad press coverage, accusation of unethical behavior and so forth. As a consequence, this loss of reputation may determine a decrease in customers’ fidelity, market evaluation, and possibly access to financial credit.