The Human Factor in Cybersecurity Events: Critical Education Components

In late 2024, officials announced that a malicious hacking group known as Salt Typhoon (associated with China) infiltrated nine telecommunications companies in a “broad and significant cyberespionage campaign.” The exact length of the breach and nature of data targeted or intercepted is not known, but it is believed they began in mid-2023 and focused on metadata tied to millions of subscribers. Targets included both Donald Trump and Kamala Harris and their presidential campaigns, and they accessed intercepts placed by the companies on behalf of law enforcement, possibly to help identify suspected Chinese agents under surveillance.

The attackers in this breach exploited known vulnerabilities listed on the Cybersecurity and Infrastructure Agency’s (CISA’s) Known Exploited Vulnerabilities Catalog. This catalog maintains a list of known vulnerabilities previously used by malicious actors to breach systems. CISA recommends all organizations review and mediate relevant vulnerabilities listed in the catalog, which is required for Federal Civilian Executive Branch organizations (e.g., Department of Homeland Security, Department of Health and Human Services, Department of Transportation, Nuclear Regulatory Commission, Tennessee Valley Authority, etc.).

The Cost of Human Error

Failure to review and mitigate known vulnerabilities is one example of human error in cyber events. Human error is categorized as a nonmalicious cyber incident and refers to mistakes or accidental actions that permit a cybersecurity event to occur. IBM reports that in 2024, the average cost of a data breach was $4.9 million, which is the highest average to date and continues to climb. Along with the average of 194 days to identify the breach, the report also states that it takes an average of 292 days to identify and contain a data breach caused by stolen credentials. With the increasing cost of data breaches and the length of time attackers spend in the system, it is increasingly important to educate users on best practices and employ robust security programs.

The Prevalence of Human Error

As organizations digitize and rely more on technology to run operations, they introduce more potential critical failure points that hackers can breach. Regardless of how many digital safeguards are in place, the human factor is one vulnerability that cannot always be accounted for. Depending on the research, the human factor is listed between 75% and 90%, with the World Economic Forum citing 95%. In Verizon’s 2023 annual data breach incident report, 68% of the more than 10,000 data breaches reported were nonmalicious, attributable to the human factor.

For more than a decade, the human factor has been the largest area of risk for cyberattacks, with the Pentagon listing some of the same examples that exist today, such as failures to patch vulnerabilities, misconfiguring settings, and failure to follow standardized procedures. These insider threats can allow in external threats. As of 2024, chief information security officers still consider human error to be the leading cybersecurity risk for their organizations. Following are five common human factors in cyber events.

• Password concerns: the use of weak passwords, repeated use of passwords, or the use of the same passwords for home and office use. The most commonly used password overall and in the business environment in 2024 was 123456. This was the fifth time in the past six years this password earned the top spot on this password review. Reliance on weak passwords or using the same passwords for both personal and professional logins increases the vulnerability and risk for the organization. Reuse of old passwords is a risk highlighted by the RockYou2024 leak, which provided a compilation of over 10 billion plaintext passwords, and the Mother of all Breaches data leak, which posted 12 terabytes of information with over 26 billion user records in 2024.
• Improper handling of data: missing or bad data, which leads to poor organizational decisions, data spillage from emailing the wrong recipient, or data left in the open and not encrypted. In 2024, the Police Service of Northern Ireland sent an email in response to a Freedom of Information Act request, mistakenly attaching a document listing the name, position address, rank, grade, and other information of all officers in the department. This mistake raised concerns over the safety of the almost 10,000 officers identified and resulted in a $1 million fine for failing to protect its data. (Note: This fine resulted from the General Data Protection Regulation, which covers the European Union. In the U.S., HIPAA covers medical liability and the California Consumer Privacy Act provides for fines for failure to secure data, but those are limited in scope.)
• Software concerns: poor training and management of software on the network, including outdated or unauthorized software, vulnerabilities, improper or missing configurations or patches, and reliance on default settings, as in the Salt Typhoon breach previously referenced.
• Unregulated data access: users accessing data they have no need to access. It is important to restrict access and account privileges for users. This limits the potential for abuse and the scope of potential breaches if a non-admin account is compromised.
• Other human errors: clicking unauthorized or malicious links, sharing Wi-Fi networks or passwords, failing to secure systems and hardware, and others.

Mitigating Human Error

With knowledge of this pervasive threat, agencies can and should do something to protect themselves and mitigate the risk. First and foremost, agencies need to develop a plan for cyber incidents. To begin the process, in 2023, the Federal Emergency Management Agency (FEMA) provided Planning Considerations for Cyber Incidents: Guidance for Emergency Managers. This guide provides an overview of the types of cyber incidents emergency managers may face, how to assess cyber risks, roles and responsibilities, and considerations for internal and external communications. To develop a cohesive plan, first establish a planning team, understand the situation (and organization), determine goals and objectives, develop the plan, prepare and review the plan, and then implement and maintain the plan.

As a second perspective, the Federal Information Systems Security Educators Association asks the following questions in relation to how prepared an organization is to protect against human factor risk:

• Have you considered and addressed the human factors of cyber?
• Are your people trained and enabled to identify and avoid cyberthreats?
• Is your organization properly coordinated in the event of a cyberattack?
• Would your team communicate and respond to cyber incidents?
• Does your workforce understand and adopt key cybersecurity best practices?
• Are your people aware of their roles and responsibilities?
• Are your security teams as unified in their mission as the attackers are in theirs?

No matter the guidance, the most central requirement is for the organization to review its operation, review the risks and vulnerabilities, and create a plan. This should ensure continuity of operations and minimize impacts to the communities served.

A 2022 data security survey reported that approximately 64% of Americans are unsure what to do in the event of a data breach. Per CISA, organizations should initiate response plans when they identify signs of a compromise and report the incident for additional assistance. The Department of Homeland Security published guidance on Cyber Incident Reporting, outlining when, what, and how to report incidents to the federal government. Alongside that document, there is also the National Cyber Incident Response Plan from 2016 (and the 2024 draft), which provides a framework for response and recovery for public- and private-sector agencies, including state, local, tribal, and territorial agencies. Reporting may include reporting the incident to CISA, the Federal Bureau of Investigation (FBI), a state or local fusion center, the Internet Crime Complaint Center (IC3), local law enforcement, or some combination.

Anatomy of a Cybersecurity Plan

Dealing with a cyber incident contains four stages, per the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide: (1) preparation, (2) detection and analysis, (3) containment, eradication, and recovery, and (4) post-incident recovery (see Figure 1).

The focus of this article centers on the first step: preparation and prevention. The preparation phase outlines what incident response teams should do prior to incidents to ensure they are ready for the following steps in the life cycle. Prevention includes risk assessments, host and network security, malware prevention, and user awareness and training.

Preventing a Cyberattack

Risk assessments, including environmental and organizational risks, examine threats and vulnerabilities for the organization. Elements of the risk assessment start with identifying critical services and dependencies inside and outside the organization. This includes

• Host security: ensuring hosts are properly hardened and configured, users are granted only privileges required for their roles, and vulnerabilities are patched;
• Network security: activities not expressly permitted are restricted, and connection points are secured;
• Malware prevention: proper software is in place to detect and stop malware across the organization; and
• User awareness and training: including everything from awareness to technical training for users.

User awareness and training can be the most basic and most impactful aspect of the prevention step, especially when the organization employs robust technical security and user access controls. Without being able to anticipate how one person will react in any given situation, education is the key factor to minimizing this risk due to employee error or negligence. One of the foundational considerations for awareness and training is gaining the attention of users and convincing them cybersecurity is a critical aspect of the operation. Cybersecurity is a team sport, and it is only effective when everyone works together—from the leaders and technical teams to users and employees across the organization.

For better engagement, it is important to understand employees and their needs, the skills and knowledge they possess, and other important information about them. Relying on a cookie-cutter, web-based training module to educate users is ineffective and will return limited results. As agencies develop plans and identify threats and vulnerabilities, training designed to specifically target those risks and educate users on mitigation strategies is key. It is also important to provide specific action items for users targeted to individual risk and knowledge, and not rely on vague guidance and regulations. Creating a policy that instructs users not to click on a malicious link provides general guidance, but users may still not know how to identify these links. As noted in a previous article in the Domestic Preparedness Journal from October 2024, free and low-cost resources are available for organizations to enhance training and preparation. Agencies do not have to recreate the wheel when looking for training options.

From a social engineering perspective, attackers seek to exploit the decision-making and behaviors of targeted users. If malicious emails can be crafted to mimic legitimate users and links, users may click these malicious links without thinking about it. Instead, users must maintain a healthy skepticism of incoming traffic and remain aware of potential hallmarks of phishing and other malicious traffic.

Training Users

Education and awareness training should include appealing to a sense of urgency. Phishing attempts often include wording meant to entice the reader to click on a link. This includes items such as saying a package cannot be delivered, or there is an outstanding payment due, etc. An employee clicking on a malicious link is the easiest way to breach a system and one of the hardest actions to control. Ways to mitigate this risk include the following:

• Encourage staff not to open unsolicited emails where appropriate.
• Encourage staff not to use work networks for personal business; this includes not subscribing to newsletters, shopping, or using work-related email addresses for personal business.
• Create a quick and easy method for staff to report suspicious activities, such as “report phishing” buttons within the email system itself.
• Foster a culture of education and adopt the philosophy that there is no penalty for reporting a potential cyberattack in good faith; staff are less likely to report issues if they fear punishment.
• Look for misspellings and logos that do not appear correct.
• Mouse over links without clicking to see the link’s destination address.

Psychological elements, such as the risk of cognitive bias, can be minimized by simplifying login and authentication methods. Decision-making can also be affected by burnout, fatigue, mental overload, and appealing to a sense of urgency. These risks can be mitigated by ensuring an appropriate work-life balance, awareness training, and strong security protocols and reporting mechanisms in case of a potential breach. It is also important to create a security culture that encourages users to immediately notify the security team or their supervisor when they identify a potential issue or if they think they made a mistake or clicked on a malicious link. If the organizational culture is punitive for any mistakes made by the user, it incentivizes concealing potential issues in the hope nothing develops, increasing risk.

Vigilance Is Essential

When considering risks of cyberattacks, understanding the primacy of the human factor is central in addressing risk and developing plans for continuity of operations and incident response. Creating a security culture that seeks to educate employees is a continuous improvement process, and addressing the specific organizational threats and vulnerabilities is essential. It is also necessary for the organization to be active in identifying vulnerabilities, applying patches, and monitoring systems, alongside implementing user access controls. Requiring multifactor authentication and robust passwords, changed periodically, as part of an overall plan will minimize the possibility of compromised credentials that lead to data breaches. Following the guidelines listed here and those provided in the cited resources, agencies can significantly improve the security posture of the organization and provide training and awareness that can be used anywhere. A team is only as strong as its weakest player, and cybersecurity is a team sport. Robust training and education are beneficial for the organization, the individual, and the communities at large.