Co-authored by Quinn North, Senior Incident Response Analyst, IBM Security.

The security world abounds with case studies demonstrating that end users are a weak point within the organization. End users are constantly bombarded by phishing attacks, are notorious for using weak account credentials and are preyed on by malware relying on the user to introduce malicious software into an environment. All of these examples may lead to significant damage to the organization and negative headlines.

Unfortunately, despite significant efforts, end user security issues continue to stymie even the most well-funded and resourceful security teams. Even with end user training, new hire training, annual security certifications and periodic emails from an exasperated security teams pleading to think twice before clicking on a link, end users continue to introduce and ferment risk within an environment.

It’s safe to assume that most end users have good intentions and are not actively trying to open the doors for the bad guys. So why does the end user continue to be the weakest link? Perhaps we need to adjust how we interact with end users.

Introducing the Feedback Loop

A feedback loop consists of four unique stages:

  1. Capturing or measuring a behavior;
  2. Conveying information to the end user in a manner that is easy to understand;
  3. Conveying the direct consequence of the behavior; and
  4. Recapturing or remeasuring the behavior.

One method to illustrate the feedback loop in the information security realm is via spear phishing exercises. These are exercises sanctioned and conducted by the organization to identify users that are prone to clicking on malicious links. Spear phishing training exercises are an excellent method to correct unwanted end user behavior.

Feedback Loop in Action

Demonstrating the exercise in a feedback loop, an end user first clicks on a spear phishing email that, ideally, should be recognized as malicious. The first step in the feedback loop has been satisfied.

As soon as possible after the user clicks on the link, the individual should be educated on what happened and how to avoid the same mistake in the future, per the second step.

The third step is informing users of the consequences of their actions. This should be done both from an information security aspect (i.e., what the ramifications were to the state of security within the organization) and from a human resources perspective. No one is advocating formal disciplinary actions over clicking on a link in a test. However, repeat and frequent occurrences may warrant additional attention.

Finally, the fourth step, retesting participants, is necessary to ensure they have learned from the affair and the unwanted behavior has been corrected.

Driving End User Security Awareness

While the basic steps of the feedback loop are equally important, attention must be given to their temporal spacing. If it takes three months to notify users of their unwanted behavior, the ability to learn from that behavior is diminished. The more closed the feedback loop is, the more likely the end user behavior will be adjusted.

While the example above focuses specifically on spear phishing, the feedback loop can be applied to a variety of other user practices, such as unwanted web browsing, the installation of unapproved software packages and so on.

Teaching end user security can significantly drive awareness. It is potentially a powerful and effective force multiplier to your security posture. When incident response teams respond to computer security emergency events, a lack of end user security awareness is too often the root cause.

More from X-Force

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today