Co-authored by Quinn North, Senior Incident Response Analyst, IBM Security.

The security world abounds with case studies demonstrating that end users are a weak point within the organization. End users are constantly bombarded by phishing attacks, are notorious for using weak account credentials and are preyed on by malware relying on the user to introduce malicious software into an environment. All of these examples may lead to significant damage to the organization and negative headlines.

Unfortunately, despite significant efforts, end user security issues continue to stymie even the most well-funded and resourceful security teams. Even with end user training, new hire training, annual security certifications and periodic emails from an exasperated security teams pleading to think twice before clicking on a link, end users continue to introduce and ferment risk within an environment.

It’s safe to assume that most end users have good intentions and are not actively trying to open the doors for the bad guys. So why does the end user continue to be the weakest link? Perhaps we need to adjust how we interact with end users.

Introducing the Feedback Loop

A feedback loop consists of four unique stages:

  1. Capturing or measuring a behavior;
  2. Conveying information to the end user in a manner that is easy to understand;
  3. Conveying the direct consequence of the behavior; and
  4. Recapturing or remeasuring the behavior.

One method to illustrate the feedback loop in the information security realm is via spear phishing exercises. These are exercises sanctioned and conducted by the organization to identify users that are prone to clicking on malicious links. Spear phishing training exercises are an excellent method to correct unwanted end user behavior.

Feedback Loop in Action

Demonstrating the exercise in a feedback loop, an end user first clicks on a spear phishing email that, ideally, should be recognized as malicious. The first step in the feedback loop has been satisfied.

As soon as possible after the user clicks on the link, the individual should be educated on what happened and how to avoid the same mistake in the future, per the second step.

The third step is informing users of the consequences of their actions. This should be done both from an information security aspect (i.e., what the ramifications were to the state of security within the organization) and from a human resources perspective. No one is advocating formal disciplinary actions over clicking on a link in a test. However, repeat and frequent occurrences may warrant additional attention.

Finally, the fourth step, retesting participants, is necessary to ensure they have learned from the affair and the unwanted behavior has been corrected.

Driving End User Security Awareness

While the basic steps of the feedback loop are equally important, attention must be given to their temporal spacing. If it takes three months to notify users of their unwanted behavior, the ability to learn from that behavior is diminished. The more closed the feedback loop is, the more likely the end user behavior will be adjusted.

While the example above focuses specifically on spear phishing, the feedback loop can be applied to a variety of other user practices, such as unwanted web browsing, the installation of unapproved software packages and so on.

Teaching end user security can significantly drive awareness. It is potentially a powerful and effective force multiplier to your security posture. When incident response teams respond to computer security emergency events, a lack of end user security awareness is too often the root cause.

More from X-Force

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today