Using Feedback Loops to Enhance End User Security

Co-authored by Quinn North, Senior Incident Response Analyst, IBM Security.

The security world abounds with case studies demonstrating that end users are a weak point within the organization. End users are constantly bombarded by phishing attacks, are notorious for using weak account credentials and are preyed on by malware relying on the user to introduce malicious software into an environment. All of these examples may lead to significant damage to the organization and negative headlines.

Unfortunately, despite significant efforts, end user security issues continue to stymie even the most well-funded and resourceful security teams. Even with end user training, new hire training, annual security certifications and periodic emails from an exasperated security teams pleading to think twice before clicking on a link, end users continue to introduce and ferment risk within an environment.

It’s safe to assume that most end users have good intentions and are not actively trying to open the doors for the bad guys. So why does the end user continue to be the weakest link? Perhaps we need to adjust how we interact with end users.

Introducing the Feedback Loop

A feedback loop consists of four unique stages:

  1. Capturing or measuring a behavior;
  2. Conveying information to the end user in a manner that is easy to understand;
  3. Conveying the direct consequence of the behavior; and
  4. Recapturing or remeasuring the behavior.

One method to illustrate the feedback loop in the information security realm is via spear phishing exercises. These are exercises sanctioned and conducted by the organization to identify users that are prone to clicking on malicious links. Spear phishing training exercises are an excellent method to correct unwanted end user behavior.

Feedback Loop in Action

Demonstrating the exercise in a feedback loop, an end user first clicks on a spear phishing email that, ideally, should be recognized as malicious. The first step in the feedback loop has been satisfied.

As soon as possible after the user clicks on the link, the individual should be educated on what happened and how to avoid the same mistake in the future, per the second step.

Related to this Article

The third step is informing users of the consequences of their actions. This should be done both from an information security aspect (i.e., what the ramifications were to the state of security within the organization) and from a human resources perspective. No one is advocating formal disciplinary actions over clicking on a link in a test. However, repeat and frequent occurrences may warrant additional attention.

Finally, the fourth step, retesting participants, is necessary to ensure they have learned from the affair and the unwanted behavior has been corrected.

Driving End User Security Awareness

While the basic steps of the feedback loop are equally important, attention must be given to their temporal spacing. If it takes three months to notify users of their unwanted behavior, the ability to learn from that behavior is diminished. The more closed the feedback loop is, the more likely the end user behavior will be adjusted.

While the example above focuses specifically on spear phishing, the feedback loop can be applied to a variety of other user practices, such as unwanted web browsing, the installation of unapproved software packages and so on.

Teaching end user security can significantly drive awareness. It is potentially a powerful and effective force multiplier to your security posture. When incident response teams respond to computer security emergency events, a lack of end user security awareness is too often the root cause.

Robert Lelewski

Engagement Lead, IBM Security

Robert Lelewski has been in the incident response, computer forensics, e-discovery and computer security realm for 10...