The document discusses how approximately 50% of security breaches in the Federal Government are caused by a lack of user compliance. While security technologies have improved, end-user behavior can undermine security efforts if users are not properly educated. The biggest cyber threat organizations face is naïve end-users. It is important for organizations to develop cyber awareness programs to modify user behavior and make users the first line of defense against threats. These programs should use clear, non-technical language and involve listening to end-users to address weaknesses in security.

1. Background
Approximately 50 percent of all
security breaches within the Federal
Government are caused by a lack of
user compliance, this is according to
a report released last year by MeriTalk
and developed in collaboration
with Akamai Technologies, Inc.1
This illustrates that even though
security technologies have improved
dramatically during the last few years,
end-user behavior will make or break
any security strategy, as hackers tend
to exploit the path of least resistance.
That is why, in a world where cyber
attacks continue growing at a rapid
pace, organizations wishing to stay
ahead of the game need to mitigate
their biggest cyber threat: naïve end-
users. Otherwise those end-users,
underestimating the magnitude of
their actions, will gladly open the
back door of their organizations to
the world.
1 MeriTalk, (2013). Half of All Federal Agency
Security Breaches Caused by Lack of User Compliance;
Harsh Security Standards May Lead to More Security
Breaches.
Addressing your
Biggest Cyber
Threat
Part of understanding what an
organization lacks in terms of
awareness, is simply listening to its
end-users. Having their voices heard
will not only increase their satisfaction
as customers, but it will allow for the
identification of gaps in any security
program. For instance, here at the
University of Miami, the IT Security
Department partnered with the
Human Resources Department to
deliver a clear message to our end-
users at the annual benefits fair held
a few weeks ago. We focused this
year’s event on educating our staff
on how to keep both their personal
and work sensitive data safe while
listening to their questions and
concerns. The feedback gathered
will help us develop an action plan
to address any discovered weakness
in the near future. In the end, it is
a simple exercise that can provide
valuable information.
The next goal is to develop a cyber
awareness program that helps
modify the behavior of end-users.
By targeting their behavior rather
than having them memorize specific
procedures, the effectiveness of
the cyber awareness program will
increase, while making them the first
line of defense against most threats.
And given that as human beings we
need to be constantly reminded,
any effort towards cyber awareness
should be a formal and continuous
effort with clear outcomes.
Most experts would agree that in
general end-users are not computer
savvy, an element that makes the
communication process even more
challenging. For that reason, it
is key to avoid technical jargon
that would make some people shy
away. Therefore, employing an easy
vocabulary will open the doors to
Your biggest cyber threat?
Naïve end-users
If your end-users lack awareness, your
sensitive data will be at risk
By: Kelvin O. Medina, Information Security Engineer
University of Miami
AWAR NESS
ST ATEGY
SE URITYC
Y
B
E
R
T
H
R
E
A
T
28 United States Cybersecurity Magazine

2. reach all levels of an organization.
The National Cyber Security Alliance,
through it’s StaySafeOnline.org
portal, offer a series of free resources
to get started on the right track.
General cyber awareness, while
effective, is only half of the solution to
a bigger problem. According to the
2014 Internet Security Threat Report
reported by Symantec, targeted spear
phishing campaigns have increased
91% when compared to 2013.2
As a consequence, those end-users
with additional privileges within an
organization, now more than ever,
need advanced training based on
their role.
Going Beyond
End-User Awareness
Embedding cybersecurity an
organization’s policies, processes,
and procedures is one-step further
end-user awareness. For instance,
if end-users are able, as many are,
to acquire products and/or services
then this could introduce new
vulnerabilities into the environment.
It is then recommended to establish a
risk assessment process and attach the
same into the acquisition workflow.
This will give organizations an edge
in preventing the introduction of new
vulnerabilities into their information
systems before it becomes too late.
And as a good practice taken from
the systems engineering field, the
earlier cyber security requirements
get taken into consideration during
the System Development Life Cycle
(SDLC), the easier it will be to bring
the project back into compliance.
2 Internet Security Threat Report 2014. (2014). 1st
ed. [ebook] Mountain View: Symantec Corporation
World Headquarters. Available at: http://www.
symantec.com/content/en/us/enterprise/other_
resources/b-istr_main_report_v19_21291018.en-us.pdf
[Accessed 30 Oct. 2014].
Summing up:
Developing a comprehensive cyber
awareness program is not by any
means a one-person task or even
a responsibility residing within
the technology department of an
organization. It requires the effort
and dedication of many people
with good intentions. From leaders
at the top, to anyone in between,
embracing the awareness message
is everyone’s job.
At the end, it is not all about pouring
resources into new technologies but
coupling them with an organizational
culture that cares. That will determine
to a greater extent, the success of any
security program.
Kelvin O. Medina, CISSP,
SEC+, ITIL, is currently
an Information Security
Engineer at the University
of Miami. He received a
BS in Computer Science
from University of Puerto
Rico and a MS in Technical Management
from the Johns Hopkins University.
Previously, he worked for almost four
years for the US Navy at Dahlgren, VA
as Information Systems Security Officer
(ISSO). In his free time, he enjoys going
to the beach and learning about the latest
in the technology field.
General cyber
awareness,
while effective,
is only half of
the solution to a
bigger problem.
29United States Cybersecurity Magazine