It should not be a surprise that the biggest vulnerability in Cybersecurity is the user (Goldman, 2010). The vulnerabilities presented by the user fall into two general categories: (1) accidental and (2) malicious. Vulnerabilities are important to those that are trying to perform unauthorized actions on an information system. For this paper, the term information system is being used generically to be anything from a home computer to a global enterprise encompassing numerous servers and storage systems. These unauthorized actions are threats to the information system. While not all vulnerabilities create threats, even a single vulnerability puts the information system at risk.
Most threats that an information system faces depend on or benefit when user vulnerabilities are present (Verizon RISK Team & United States Secret Service, 2010). Additionally, the potential for damage can be more significant when exploits include user vulnerabilities, as it can have direct impact on the effectiveness of countermeasures (CERT, 2010). When a threat is executed by an attacker (e.g. hacking, social engineering), it creates an incident that affects the organization, potentially in many ways. These incidents have operation and financial costs to the organization.
It is possible to address the vulnerabilities and thus make reduce the risk that threats present. On one side, increases are necessary in training and awareness both in intensity and frequency within enterprises along with better countermeasures. On the other side, end-user training and awareness needs to be elevated in society with public campaigns for every age group. Let us take a deeper look at what are vulnerabilities induced by the user.
User Induced Vulnerabilities
It is hard to remember the first time hearing about the eighth layer of the OSI model, the user layer. The eighth layer is crucial whether designing an input scheme or troubleshooting network connectivity (Did the eighth layer plug-in and turn on the system?). Within the Open Systems Interconnect (OSI) model, the user is the only part that does not have universal standards, best practices, predictable competencies, and brings free will along with external influences. By abstraction, the user layer is the human element, which makes it responsible for building Cybersecurity systems, developing governance on use, and exercise safeguards to keep systems safe.
Given this position, an argument exists that all vulnerabilities are user (human) induced. While there is support for this, it is not consistent with the current method for addressing vulnerabilities. A reason for this is that the number of vulnerabilities is too large with varied resolution approaches. Imagine using the same approach to for IT professionals (e.g. software developers) and an average end-user (e.g. logistics manager) when covering the importance of anti-virus software. For the scope of this paper, we will address users...