The Human Element of Information Security

Information security has long hinged on trusted insiders' ability to make good decisions. However, modifying human behavior through training is difficult; some battle-worn security executives might even dismiss it as impossible. Although foundational controls such as antivirus, data leak protection, and firewalls are important, they're far from sufficient. The sharp rise in 'knowability' of people at a distance raises an important question for the information security industry about the automation of personalized attacks: what happens when the marginal cost of launching a convincing personalized attack starts to approach 0 Today, most security controls are ignorant of rich historical data about the person they're tasked with protecting. As the cost for attackers to personalize their attacks goes down, our zeal in building technology to personalize defense must rise. This article explores our industry's need to embrace security's human element. © 2003-2012 IEEE.