Social Programming, The Biggest Vulnerability in Cyber Risk Management and Corporate Security.

815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.
net

Stefan Whitwell, CFA, CIPM
Chief Executive Officer
Preemptive Risk Management
Protect. One Client at a Time.

2014 WHITE PAPER

CYBER SECURITY:

SOCIAL PROGRAMMING

IS THE

ULTIMATE DIFFERENCE MAKER

JUNE 2014

Copyright 2014 Empirical Solutions, LLC. All rights reserved.

815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.net


CYBER SECURITY TECHNOLOGY CENTRIC SOLUTIONS: HIGHLY RISKY

UNLESS CYBER RISK EXPLICITLY EMBRACES CYBER AUDITING, SOCIAL
PROGRAMMING AND PREEMPTIVE IMMUNIZATION, YOUR ASSETS WILL NOT BE
SECURE AND YOUR HEADLINE RISK REMAINS SIGNIFICANT

By Stefan Whitwell, CFA, CIPM

Introduction

When it comes to Cyber Security, what do CEOs want from their direct reports and
third-party vendors? They want corporate assets to be secured and want this
accomplished as economically as possible. But how do you, as the CEO, or the board
of directors, know whether this is in fact being accomplished? This is an important
question given that Fortune 500 companies are each spending upwards of $100mm per
year on security related initiatives and given that CEOs jobs may now be on the line if a
breach occurs as was the case with Target.

The short answer is that you do not know whether the millions being spent to
secure your most valuable corporate assets are effective unless you retain a cyber
audit firm to give you independent and objective feedback and ensure that the cyber
audit firm is auditing the correct things (which they often do not keep reading).

We will let you in on a little secret: 99% of security budgets today address only
50% of the vulnerabilities that can result in your firm being a major news headline. Why
is this? Because social programming is largely overlooked today. This is why despite
the massive increases in security spend, we still see a steady stream of data breach
headlines at major U.S. corporations every week. And undoubtedly, there are many
more that are not reported and kept quiet.

It should not surprise you to know that hackers, professional thieves and
malcontents exploit and celebrate the fact that most corporations do not have a good
handle on the social programming of their employees. In this paper, we will explain
social programming and show you how you can reduce your exposure to this risk in
your organization through an on-going Cyber Risk Audit program that devotes
significant resources to this vulnerability and a preemptive immunization program.

Social Programming refers to the trained and untrained human behaviors that
hackers, professional thieves and malcontents prey upon when using social engineering
techniques to defeat security measures and achieve their objectives. In this sense,
Social Engineering is a noun, but social engineering is also a verb and refers to the
active and explicit management of behaviors as needed to support the success of the
corporation, by harnessing the power of your human capital.



Huge Yet Hiding In Plain Sight: Social Programming

Social Programming must not be confused with Social Engineering which is a
well-known term in the security business, which refers to the criminal art of tricking a
person into divulging sensitive data or doing something that helps the criminal defeat
the targets security measures.

Social Programming, by contrast, is the behavior that the criminal uses to their
advantage to effect social engineering. Social Programming consists of two parts: (a)
learned behavior and (b) pre-programmed (unlearned) behavior. As a Board Member
or CEO, you have zero control over your adversary and the social engineering threats
coming your way. On the other hand, board risk committees and senior management
does control the social programming of your organization. This is a key: if you want
results, you need to focus resources and efforts on social programming.

There are essentially three types of behaviors that are measured in properly
designed Cyber Risk Management Audits: (a) technological using big data to observe
deviations from behavioral norms (b) telephone interviews and (c) physical reactions to
various social engineering tests, including physical penetration testing audits. The first
one, the scanning of behavior in the digital world, is now possible thanks to the
invention of tools and technology to deal with so-called big data sets.

The second type of behavior that is measured in a well-constructed Cyber Audit is
perception of facts and/or belief as measured through telephone interviews as it relates
to behaviors, incentives and consequences (as it relates to security).

The third and last type of behavior that needs to be measured and tracked is
behavior and choices made when confronted with socially engineered ruses. Again, by
way of contrast, social engineering is the art of gaining access to buildings, systems or
data by exploiting human behavior rather than breaking in using technology driven
hacking tools and techniques. The ruses are limited only by the imagination of the
hackers, which in general, are a creative class that understand human psychology.
Another fact that you need to hear loudly is this: professional hackers, thieves and
malcontents spend days, weeks and sometimes even months planning their attack.
They are serious and prepare with the intensity of a competitive athlete.

Stepping back for a second, you can see now how a well-constructed Cyber Audit
must include a systematic evaluation of corporate social programming.

Corporate Culture Does Not Matter: Behaviors Do

If the CEO gives the security team a window within which to secure the most
valuable assets of the corporation, the discussion topic needs to be around behaviors,
not corporate culture which, while important, is a term that is loosely bandied around.



In order to protect a corporation, the security team needs to create sticks to
eliminate bad behaviors (ones that increase cyber risk) and incent good behaviors.
Simplistically, one can of course define good behavior as being the opposite of bad
behavior. However, compliance alone can only get you to the 65-yard line. Why?
Because it is impossible to create a list of every single behavior that is desired in every
single circumstance you can imagine. Life is not linear. Therefore, what you ultimately
need to maximize your security profile is to engage the common sense and good
judgment of your employees which transforms your human capital into a huge and
valuable corporate asset. Long-term security success depends on this.

Social engineering, the noun, covers the behaviors you were born with, and ones
you have learned which includes the behaviors you were socialized with growing up,
and the behaviors you have learned on the job, specific to a particular corporation.

Although many firms make new hires memorize a list of corporate values and go to
great lengths to bring attention to them, as a practical matter, we find that the behaviors
that are most pronounced are those that are tied to carrots and sticks. What do I need
to do in order to keep collecting my paycheck? What do I need to do in order to get
paid a nice fat bonus next quarter? The answer to these questions identifies, in clear
terms, the true values of that corporation or that business unit and make no mistake
about it, employees are highly pragmatic and quickly hone in on these key behaviors.
Likewise, employees learn and actively seek out an understanding of what behaviors
result in losing their job. Note, what matters are the behaviors that actually result in one
getting fired not the behaviors that are listed in the employment agreement that may
be grounds for dismissal and often there is a massive gap between the two. A top-tier
cyber audit will identify these types of behavioral gaps as it relates to security.

If a CEO sends out a firmly worded memo to all employees stressing the
importance of security, how much will this impact employee behavior? If we conduct a
random survey of 200 employees, with a sample across different hierarchies,
geographies and job functions and find that only 35% of the respondents named
security as being one of the most important values of the firm, can you say that
security is really a firm value? Likewise, if in those interviews, you ask people for
examples of specific security protocol they are required to follow, and 99% can
completely and accurately articulate the core security protocols relevant to their area,
then wouldnt you agree that as a practical matter, security is valued at that firm? What
would you conclude if only 10% of the respondents could answer the question?

In other words, corporate values must be measured as practiced, not as
preached and must be regularly measured if you want an objective understanding of
your corporate social programming status and vulnerability index. What should you do
you, as far as practical next steps, if you commission a study that shows that your social
programming is weak and thereby making your firm unnecessarily vulnerable?



To increase your Social Programming Effectiveness Index, firms must do two
things to promote values that it wants practiced in its day-to-day business. The first is
perpetual training. The second is what gives teeth to the first and is needed to cause
employees to remember and act on their training: make the embodiment of the value an
explicit factor in financial rewards and terminations.

Not all employees respond equally to the carrot and stick, which is why it is
necessary to utilize both. Without a carrot and a stick, the education will quickly
evaporate, leaving the firm with a negative return on its investment in training and
vulnerable to attack from social engineering.

One way to test whether a value is actually acted upon in a corporation is to do a
random survey of employees and ask them Please tell me about the last person you
can recall that was promoted for something they did to secure the Firm and Please tell
me the last time you can recall someone getting fired for failing to adhere to your
security protocol. How they answer these two questions is extremely telling. There are
other key nuances in this process, of course, but to keep this discussion shorter, we
defer those details for another conversation.

As mentioned, social programming also covers behavioral programming that is
genetic but fortunately something we can still manage if you know how.

Getting into a so-called secure building by tailgating behind someone is often
easy to do because you can tap into one of these genetically ingrained behaviors. Even
when the person knows they should not allow someone to enter unless they use their
own unique access card, their pre-programmed preference neurologically will be to just
let them in anyways, because it is the nice thing to do and we are pre-programmed to
avoid confrontation (genetic predisposition to survive by avoiding unnecessary
confrontations which can lead to injury, death or loss of property). We also fear that
refusing to help them, or our reminding them of the policy will cause them to think less
of us and create a tense working atmosphere. This is an example of pre-programmed
social behavior (cooperation increases likelihood of survival).

Fortunately, the combination of training and the regular use of both carrots and
sticks can overcome pre-programmed behaviors. However, education alone will
statistically fail to overcome pre-programmed behavior. This is why many corporate
education programs are a waste of time and money. Why do it if you do not or cannot
reliably create a new set of behaviors?

To this point, when is the last time you can recall someone at a major firm, who is
competent in their core area of responsibility, getting fired or losing their bonus for
failing to follow routine security protocols like constructing sufficiently complex
passwords or not letting anyone tailgate? In the decade of my working for the largest
banks in the world, I cannot recall a single instance where anyone who was good at
their stated job was ever fired or richly rewarded for their security protocol performance.



However, if an employee believes they will immediately lose their job if they permit
someone to tailgate, they are far more likely to enforce the firm policy and feel
comfortable doing so due to the social programming in place backing that behavior.

Bringing this discussion full circle, if you ask the CFO or Chief Legal Counsel at
any large corporation if they have policies that employees must follow to deal with any
one of a number of security threats, they will all predictably nod their heads up and
down and proudly declare that in fact they do.

However, if you then ask them, in detail, about the most recent enforcement
actions that give these policies muscle, you will typically notice blood rapidly draining
from their face as they search for words that sound anything other than feeble and
weak. The fact is that most firms struggle to implement perpetual training in this area
and almost all firms have weak or inconsistent or no enforcement plans being executed
and communicated internally.

So why do most security firms and internal security staff focus on the hardware
and software and on Social Engineering instead of Social Programming?

Because it feels safer to point to the bad guys and focus on external problems
rather than looking within, and seeing what can be done better internally. In addition,
the entire vendor community affirms this misplaced focus, as you will next see.

Generally speaking, software and hardware vendors can create a warm and fuzzy
relationship with clients by saying hey, buy this shiny object and it will protect you. By
contrast, it does not help you sell software or hardware if you said something like, You
know, we analyzed your Social Programming and observed and documented huge
vulnerabilities due to the way you currently manage your employees and unfortunately,
no matter how good our shiny object is that wed desperately like to sell you, it can be
defeated pretty easily through social engineering ruses that take advantage of your
weak social programming. So most vendors avoid the subject, and focus on the
technology that they are hired to sell. Ignorance is bliss.

As the scenario above illustrates, and for reasons delineated in The Role of
Scotoma and Survival Bias in the Cyber Risk Audit Decision (Empirical Solutions, LLC,
2014), there are easily identifiable and neurological reasons why the CEO will never get
an objective assessment of the security status of corporate assets when solely relying
on internal staff and vendors. As will be briefly discussed below, one way to circumvent
these behavioral limitations is to hire an outside firm to audit your readiness; but only if
the firm you hire has expertise in Social Programing measurement and remediation and
immunization programs.



The Org-Chart Problem

Another issue that invisibly undermines effective security measures in the area of
social programming is corporate governance. Corporations wishing to maximize their
effective security need to clearly define who in the organization either solely or jointly
owns the responsibility for overseeing and supervising security in the corporation.

Social Programming is a firm-wide dynamic that touches on HR, management
(incentive and accountability standards), IT, security (to the extent a firm is big enough
that it has a separate function dedicated for this purpose), legal, facilities, vendor
management, boards (audit and risk management committees), business development
(difficult to generate new business when you are in the headlines for all the wrong
reasons) and last but not least PR and IR (ideally on a proactive basis but always in
reaction to a breach of security that becomes publicly known).

Bottom line: who owns Security? Social Programming? Few c-level executives
want executives from other areas of the business, with whom they may ultimately be
competing for the top job down the line, to tell them how to do their job. And politically,
nobody will openly admit to being territorial, but we all know there are a dozen ways to
quietly drag ones feet while appearing collaborative.

Given the multi-disciplinary reach of social programming, and therefore security, in
practice it is exceedingly difficult for a CEO to delegate responsibility to another
executive for this area. It is often most effective for the CEO to retain responsibility for
this area, to minimize turf wars, perhaps aided by a chief of staff who can focus on the
day to day details; in this way, the direct reports understand that the policy decisions are
ultimately coming from the CEO and need to be implemented without delay and without
foot dragging. Handled this way, the CEO can still retain responsibility for this key area
while leveraging the multi-disciplinary talent and responsibility of direct reports.

Key Decision Factors in Transformational Cyber Audit

In much the same way that Boards have Audit Committees that mandate and
oversee the auditing of corporate financials, Boards may also contemplate if doing the
same with regards cyber risk and security would protect the Board and the Corporation.

For reasons outlined in The Role of Scotoma and Survival Bias in the Cyber Risk
Audit Decision (Empirical Solutions, LLC, 2014), boards would be remiss and potentially
failing to uphold their duty to the corporation if they are not asking questions to
management about the security of corporate assets and taking action to ensure that
they are getting the information they need to fulfill their responsibility to supervise.
Since commerce increasingly takes place digitally in some form or another, digital
security has now become a material issue for corporations, and thus shareholders, and
by extension the Boards as well.



To the extent that Boards have reason to believe that relying solely on
management or management procured data (from vendors that management directly
hires and works with for example) incurs an unacceptable procedural risk, as is the case
with the production of financial statements, then the Board arguably has a duty to
engage an outside party to help the Board get the information and insight it needs to
properly persecute its oversight responsibilities.

Just as important as the decision to seek an outside Cyber Risk and Security
Auditor, is the process by which the Board selects an auditor and defines the audit
scope. Specifically, Boards (or the progressive CEO) need to define what, who, how
and when. Interestingly, there are some significant differences between what makes
for a successful financial audit and a successful and on-going cyber audit program.
These differences are material enough, that the way that you hire an outside cyber audit
team must likewise be sufficiently distinct from the normal.

Before you can select who you first need to know what you want to know and
measure. For obvious reasons, you would be well served to hire a team that will help
you assess your security from both a technology focus and a social programming
perspective. You will be driving with one eye closed and one arm tied behind your back
if you willfully ignore one or the other of these two key components. In addition, it is key
to find an audit firm that specifically delineates between social programming and social
engineering when it collects and measures data, and when it analyzes the data and
presents its assessment to the Board and management.

Another critical distinction for the Board to grasp when engaging an auditor is that
in the area of cyber security, both on the technical assessment and also the social
programming component, the corporation will benefit from an in-depth and all-out audit
engagement exponentially more than a half-baked proposal that looks attractive
because it is less expensive. The cost of finding your vulnerabilities reactively is
multiples greater. Therefore, the Board should be wary of audit firms that compete
based on price. Good audits take a lot of work and are never efficient by definition
because the only way to increase efficiency is to make simplifying assumptions to
reduce the workload, but the minute you make these assumptions, you are now
introducing blind spots and therefore a new source of risk.

Lastly, unlike the financial audit process, which occurs around an annual schedule,
in the area of security and cyber security specifically, the rate of change is much faster.
The rate of change in the evolution of attacks and required actions to defend the
corporation is much more rapid than changes in the way that financial statements are
produced. Therefore, the annual schedule is not the right benchmark. In addition,
corporate turnover also necessitate the need for on-going engagement between the
auditor and the firm especially if the audit is being done with the intention of
proactively finding issues that can then be addressed to preemptively strengthen and
protect the corporation. Every person that joins or leaves a firm represents a new point
of risk for the corporation, especially with regards to cyber risk.



Social Programming and Social Engineering risk.

Therefore, what we recommend is an emerging audit concept called continuous
auditing, with major milestones scheduled quarterly and less vital issues twice a year.

Significant changes in sentiment can occur in the workforce literally overnight, but
more often over the period of months, in part due to the acceleration of information
sharing through social media both sanctioned and unsanctioned. Since future stress
factors cannot be reliably predicted, it is important to keep a pulse on the consistency of
Social Programming on a quarterly basis for example, whereas physical facility
penetration can acceptably be done once a year; although even in this example, if the
business was experiencing growth and opening a large number of new locations, then
the tempo of engagement would be logically accelerated to harmonize with the
evolution of the business being audited. In short, the nature of the Audit needs to be
customized based on the current life cycle of the business and its objectives.

For corporations that want to be at the leading edge of preemptive security, there
are additional measures that can be implemented that create some aspects of the
auditing engagement to be available on a near real-time basis, particularly when it
comes to being able to produce reports for senior management as to the immediate
risk(s) posed by recently departed key employees. It is beyond the scope of this paper,
but value to corporations of these kinds of preemptive measures dwarfs the cost-to-
value-calculus in comparison to incident response (reactive) mandates, which the
industry loves of course because budgets are easier to stretch under stress, which
increases the profit margin for consultants. You can imagine the feeding frenzy taking
place on the back of the Targets 2013 data breach for example. In that kind of
situation, the Board will reactively spare no expense because the risk of skimping and
having another issue soon thereafter is intolerable, so it is a boon for whomever they
hire but not as cost effective had they invested wisely before hand. In fact, Target
publicly confirmed the breach December 19th, 2013 and in the 4th quarter of 2013
alone they reportedly spent over $61mm dealing with the data breach and their bill in
2014 has no doubt been just as significant.

Would it surprise you to learn that the core failure at Target does not appear to be
technical per se since they had at least two systems that both generated alerts but
rather deficient Social Programming? Logs or alerts that are not acted upon or are
acted upon too slowly represents a Social Programming problem, not a technology
problem. With the correct social programming in place, logs will not be ignored! The
Target example is also constructive with respect to how fast these events can unfold
and why having a much more rapid tempo of engagement is key to mission success.
What is to be learned from this? Not having your team and the right plan in place can
cost valuable time. The Target breach is proof positive as to why management teams
needs to avoid myopic obsession with technology and make sure it is not sabotaging
itself with deficient social programming. You can have the best technology but if you fail
to address social programming, you are swimming upstream with only one paddle.



Conclusion

As Benjamin Franklin famously remarked, An ounce of prevention is worth a
pound of cure. In the case of Cyber Security, this observation holds true as much
today as ever. Study after study make plain the case that the cost and expense of
repairing reputational damage together with the cost of subsequent investigation,
damage assessments, security remediation et cetera are in sum exponentially greater
than the investment required to create and implement an on-going Social Engineering
and Social Programming game plan. Social engineering derived hacks may be
decidedly non-technical, but they are alarmingly effective. Social hacking requires
radically different assessments, corporate governance and enforcement actions to
secure the corporation. The first step in securing your organization is to realize that
paradoxically, the human variable in the security equation has equal or greater impact
on the bottom line as all the millions being spent on IT solutions. Second, you need to
structure your cyber security plan around the fact that a technological deployment, such
as hardware or software, is by itself incomplete and ineffective unless implemented in
concert with a security program that addresses human behavior and its impact on the
security of the company.

Stefan Whitwell
Austin, Texas

FOR FURTHER INFORMATION CONTACT:
Mr. Stefan Whitwell, CFA, CIPM
Phone: 1-877-936-3372
Email: stefan@empiricalresults.net



APPENDIX A: KEY CONSIDERATIONS WHEN HIRING A CYBER AUDIT FIRM

The following list of considerations is meant to help you as you begin to see the merits
of hiring an outside audit firm to help you stay ahead of the curve. The following
characteristics are not listed in order of importance.

1. Confidential how can you be sure that your information is not being shared with
other clients by large firms with large teams? Your approach to security if
progressive enough could actually be a competitive advantage in todays day and
age and likewise, it could be disastrous for others to know your points of
weakness for obvious competitive reasons
2. Lean towards firms that staff implementation teams with seasoned professionals
who remain actively involved both behind the scenes (the risk is that the audit
firm parades the grey hair and credentials to win the business, but behind the
scenes most of the work is being done by twenty year olds)
3. Require that the audit plan be customized for your business based on where it is
in the business cycle and your forward looking objectives and plans
4. Demand equal focus between technology risks and social programming risks
5. Structure your audit with an engagement tempo that is as close to real-time as
feasible and customized around a forward looking business plan of your firm
6. Insist that the audit process clearly distinguish between Social Programming and
Social Engineering in its testing, analysis and recommendations
7. During the evaluation of your firms social programming, key that the audits
analysis explicitly differentiates between learned and unlearned behavior, since
the detection and management of both can differ substantially
8. Be wary of hiring auditors that look like your accounting auditors. The ideal
accounting auditor might in fact be an accountant. And if you think about it, if you
want to find vulnerabilities of the kind that hackers look for, you need to think like
a hacker out of the box and you need a team that has years of experience
outside of purely structured environments
9. Playing offense is more fun, so challenge your management team and firm to not
just think how do we plug holes but to look forward and ask what can we do to
stay ahead of the curve and transformationally quicken our ability to respond in
the event?
10. Ensure that the scope of audit requires detailed recommendations in the area of
social engineering immunization, on-going education (both content and
methods), social programming
11. Ability to present statistically sound measurements of social programming
preparedness (this allows management to see directional trends, acceleration of
change, magnitude)
12. Demand summary reports that are punchy, short and have specific
recommendations; reports that are long are never read. The purpose of the audit
is to generate high integrity data and to produce actionable recommendations
where warranted



13. A good audit plan will at a minimum look at the following (but not limited to):
a. Who in the organization owns security on the management team?
b. Does the Security Manager have an existing dashboard that they manage
and if so, what is on it? Is it statistically sound? Does it drive action?
c. How is security effectiveness currently measured by the corporation?
d. Has management quantified the dollar risk to the corporation of a security
breach, both private and public? What was the methodology for this
assessment?
e. Does the corporation have a defined Rapid Response Incident Team that
is formally denoted as such with 24/7 activation logistics in place? Who is
on it? What business units are represented on it? What is the hierarchy
of the RRIT? When was the last time that the RRIT trained? What was
the worst scenario for which the RRIT has trained and has an action plan
pre-defined?
f. Does the firm have outside investigators on standby that can immediately
respond in the case of an incident and collect evidence and investigate in
such a way that evidence is collected and preserved in accordance with
legal requirements?
g. Does the management team manage risk as an average or a distribution?
h. Does the corporation currently actively manage both technology driven
risk and also social programming risk?
i. What is the budget that was devoted to each? Staff devoted to each?
Frequency of penetration testing? Done by whom? How selected?
j. Who is responsible for making sure logs are timely and properly
evaluated? What is the procedure for that? What is the back-up plan if
that person leaves?
k. How are cyber risks evaluated when an employee leaves? When a new
person is hired into the firm?
l. What does security education look like at the corporation? What does it
cover? How is it done? And on what frequency? How often is the
content updated?
m. How effective is password management in the corporation? How
measured?
n. How is technology risk measured and evaluated?
o. How is social programming risk measured and evaluated?
p. How frequently is physical pen-testing done at corporate facilities? Who
does it? What does it involve? How is it documented?
q. How frequently is cyber pen-testing done at corporate facilities? Who
does it? What does it involve? How is it documented?
r. What % of corporate employees name security as one of the values of the
corporate culture when asked for a list of corporate values? How does
this vary by seniority, age, location, function?
s. Is there an enforcement policy in place? What does it look like? Is it
being consistently followed?
t. What % of corporate employees can articulate what the security protocol
of the company is in general and also specific to their area?



u. What % of corporate employees can articulate what the enforcement
policy of the corporation is? When is the last enforcement case they can
recall in detail?
v. How is security as a value of the firm rewarded in the corporation?
w. What % of the employees can recall a recent specific incident where
excellent security performance resulted in compensation and positive
recognition?
x. How does the corporation secure its data?
y. How do client networks know when a valid user ID and PW are entered,
that the person entering that information is in fact that person?
z. How does the corporation deal with a BYOD environment?
aa. How and where is corporate data stored? How is it backed up? What is
the most extreme scenario for which it has prepared for and tested?
bb. What % of the c-suite executives feel they are getting completely objective
assessments from their subordinates? If so why? If not why?
cc. What % of the c-suite executives manage risk as an average vs.
distribution?
dd. Does the corporation currently have a process in place to determine which
of its data is most sensitive / valuable / confidential and handle it
differently both in terms of storage and accessibility? Does the firm track
or have the ability to track which employees have closest proximity to this
data?
ee. Does the firm conduct background checks on new hires? Credit? Social
media? One-point or periodic? Point or circle? Structured data or
inclusive of unstructured data as well? With permission or anonymously?
How often are these renewed and revisited? What algorithms create an
alert?
ff. Does the firm conduct exit interviews? How do these interviews vary
based on rank and/or proximity to sensitive corporate data?
gg. What is the security protocol that is followed when someone leaves?
What investigation is done? What questions are asked to determine risk
of social engineering or post-departure attack motivation exists? What
interviews are done among their peers upon their leaving, if any and under
what circumstances?
hh. Which behavioral biases can the c-team members, one at a time, identify
without prompting? What about board members?
ii. When good employees come into bad times (stress caused by a variety of
possible factors, be they personal or professional), are there any dynamic
policies that are followed which help protect both the employee and the
firm from potential conflicts of interest or heightened temptations/risks?
Do de-escalation procedures likewise exist?
jj. What is the firms social media policy with respect to employees use of in
relation to work related content or comments?

Social Programming, The Biggest Vulnerability in Cyber Risk Management and Corporate Security.

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Social Programming, The Biggest Vulnerability in Cyber Risk Management and Corporate Security.

Загружено:

Авторское право:

Доступные форматы

815-A Brazos Street | Suite 526 | Austin, Texas 78701 | 877.936.3372 | stefan@empiricalresults.

Вам также может понравиться