Final presentation for today. And it's worth the time. First of all, let me introduce you to Enrico Frumento. So we want to talk about understanding the critical role of the human element of cybersecurity, the role of training, here we go, as a cyber risk reduction instrument. And I think you will continue this discussion a bit.
Yeah, absolutely. Absolutely. So please welcome Enrico. And I think it's really worthwhile watching him. So controller, thank you very much. Okay. Next back. Very simple. So just first of all, I am continuing on the line of the previous talk. And just to give an example of the type of physical intrusions that we could do, this is, for example, a gift card. You normally go in companies, leave these type of things on the desks, and behind there is a QR code with a URL that actually contains the word. This is a phishing site.
No one, I guarantee no one will realize that you contain these type of words. And the substance rate is about more or less 70%. This is just to give an example. Starting from that, we started to think about the role of humans within cybersecurity. I saw different speeches yesterday and today, even in the session before about the mental health of security workers on the human errors in general, human element in general, and the role it plays inside cybersecurity.
One of the things that we started to realize is that once you switch the system that needs to be protected, that actually is normally the computers, you also need to switch completely the mindset of the types of things are you doing. But at the end, the type of things that you are doing are almost the same. You need to penetrate, you need to test, you need to harden your system, accept the fact that the system is not anymore a machine, it's a human. So there is a completely different story.
And by this point of view, training becomes not only an instrument to re-skill the people or to train the people, but an instrument to modify the behavior of the persons, of the people in general. And therefore, if you link the training with a cyber risk estimation, it becomes a way to reduce the cyber risks exposed by humans in a sense or another. Let me say something before everything else. It is not working. Where should I have to point at?
Okay, it is now. Good.
Well, I'm working in cybersecurity since, well, geological era, more or less, in the early 90s. I'm born as a hardcore hacker, let's say, from the technical side. But from 12 years, more or less, I completely shift to the human side because it is simpler. Simpler by the attacking point of view, it's simpler also by, let's say, the investments point of view, but it is harder by the mitigation point of view. Because one of the things that is for sure must be said is that mitigating the humans is not as applying a patch to the system. It takes a lot of time. It is difficult.
Humans' mindsets change over time, during the day, during the years. So this is just to give an example of a recent case that happened in Italy. Just a simple email. Here is a simple phishing email. Very simple. We are talking about contextualized phishing email, very complex, let's say, a contextualized type of phishing, even generated by AI. But such a simple email, the real email was almost like this. Provocated this type of incident. One employee provoked a data breach, which cost, at the end, a five million euro fine. That is a complete disaster, of course.
This is the type of consequence of the human errors. Of course, you cannot avoid completely human errors because, as I said, even personally speaking, I'm not the same I was this morning. I am more tired. I think of other things. I'm relaxed or stressed or whatever. Even a recent case, more personal, let's say, an Italian company, a ransomware that hit the owner of a small company. It was actually an attack in which the attackers pretended to be the wife of the administrator and was asking for something. At the end, the administrator opened the mail, the attachment, and infected the system.
The attack was short-lived. This is quite happening relatively frequently. The malware, by the way, was malware compiled one-on-one. That means no copies of that malware was existing everywhere. It was not even recognized by the antiviruses. Just to give this, this is the general picture that is behind what is happening during this year, let's say. Starting from the COVID, everyone shifted to work in a house.
And so, we assisted the transition from the attacks to the big corporations to attacks to the small and medium enterprises because this was economically, let's say, feasible and was economically sustainable by the attacker's point of view. But still, they had to have a sort of manual intervention in the small and medium enterprises just to select those that are worldwide to be hacked or worldwide to pay ransomware and these type of things.
Also, for example, the economic value of the ransomware needs to be evaluated manually. So, the micro enterprises were more or less left out of the mainstream of attacks. Starting from the Russian and Ukraine, which most of all had an effect on the operational security of most of the group.
So, they are in a safe paradise without being convicted by the law. And the intervention of large language models, which supported the automation of most of the attacks. For example, social engineering can be completely automated. Malwares can contain a small artificial intelligence to do a sort of data scraping automatically within the system.
Well, this led to the multiplication of attacks against micro enterprises. And the micro enterprises are made, if you think 100, the overall amount of assets in a micro enterprise, 99%, 90% of the overall asset is made by humans. For example, a micro enterprise is an enterprise made by five persons. Your commercialists, your plumber, this type of the cleaning company, this type of small micro enterprises I'm speaking about. The main capital is human capital. And there is a very tiny technological layer.
So, this means that, and most of all, the micro enterprises are indeed the background of the entire society. Because in terms of productive value, the micro enterprises are covering, the small medium enterprises are covering 60, between 60 and 70% of the economic turnover of a society. At least in Italy, more or less in Europe, it's the same. The micro enterprises are even more.
So, the cybercrime today, I would say that cybercrime today is no longer about protecting computers, it's about protecting and securing society in terms of the pervasiveness of this type of attacks, first of all, and in terms of the human side of these attacks. Because it's not only anymore about the technology.
Humans, well, it is normally, you probably already know that in all the existing reports, the source of between 90, 80, if not even 95 of the successful attacks, is reported to be human errors. So, this is the reason why we are protecting the society.
So, here is where we are, talking about humans. Humans are, well, I will say, I was about to say humans are the problem.
Indeed, humans are not the problem, because one of the common things that cybersecurity guys do is to victimize or blame against users. But actually, if the users fall in a problem such as this, it's a bad design of the protection mechanism that surrounds the users, in a sense or another.
Then, the question we were asking ourselves was this. There are several sciences that contributed to shape the targets. If a target is a computer, there is networking, programmers, data scientists, and so on. Hard science scientists. If the system under attack is a human, there is a completely different set of sciences. Which is interesting, because normally, these sciences, which are the human sciences, are not used to talk about cybersecurity at all. And cybersecurity is not used to talk with those sciences as well.
So, there is a sort of communication gap between these two groups that needs to be filled in a way. But anyway, there is a threat model against humans, because humans are exposed to vulnerabilities, which comes from our mindsets, our being human in this way or another, that can be exploited. And we know that can be exploited. That is exposed through a threat and exposed to a risk.
So, this opens also the doors to talk about the human cyber risks models. We have risks for IT systems. We have risks for OT systems. We need to evaluate the risks for humans, which is kind of problematic, because, of course, we rapidly end in ethical issues. We shouldn't know too much about what the humans are doing in our companies, because sooner or later, we end in personal areas, personal issues.
So, by definition, there are even more sciences related to studying the humans than studying computers. If I were to study computers, there are software, hardware, telecommunication, data sciences.
Well, not that many. If you think about the humans, there are many, many more. And all of them have never or rarely communicated with each other. You can imagine, have even rarely communicated with the computer scientists. Just for example, one of the most important interesting things by this point of view is the cognitive sciences. But for example, for the voice social scam, the actuarial, to be able to simulate a voice or a situation is very important. It is something that comes from the actors in theatres. Just to name a few of these.
Marketing is another science that is highly related to phishing. This is one way or another convincing you to buy something or to do something that you shouldn't do if you are completely aware of what you are doing. The point is that, of course, on the other side, they already understood very well what to do and what this means. This is the essence of social engineering, modern social engineering, modern hacking the humans in a way or another. There are tons of books of this type, hacking humans, what that means. The point is that humans doesn't change over time. Cannot be patched easily.
And by the way, they are not yet another problem. Because most of the things I saw, for example, the humans, yet another problem to be patched, solved, contained.
No, this is wrong. Humans are what they are. They are humans.
So, the size needs to adapt to the concept that the humans are what they are. And so, just to give you an idea, this is the type of spam. Same mail sent to millions of people. Sooner or later, you will catch some type of good fish, okay? But you also get a lot of shoes and garbage as well.
On the other side, the complete opposite is the context-aware phishing on which you model the single personas, you model the psychological profiling, you do a lot of open source intelligence information, eventually automated by the AIs, and craft an email that is likely to be, semantically speaking, equal to a real email. And in this case, according to our tests, the percentage of falling victim is, in some cases, even 100%.
So, everyone in our cases most of the times completely are exposed. And even if the campaigns are repeated the same, the situation doesn't improve at all.
So, just to disturb a famous Greek philosopher, most of the cyber security is today, let's say, belonging to what Protagoras was selling centuries ago. Man is the measure, metron in Greek, of all the things of those that are for what they are, and of those that are not for what they are not. That means, well, the original sentence was related to the filtering of reality to the senses, ears, eyes, and so on, okay? But anyway, it applies very, very well to cyber security today.
And then we have a problem, because of course, like Bruce Schneier, which is a famous cryptographer, you all know probably know who he is, only amateurs attack machines. The very professionals attack humans, because it's easier, it's most profitable, and leads to revenues faster. And most of the time, if you attack people once, likely it will be attacked even easier the times after, because of course it gets stressed, it gets burned by the previous attack, so probably most of the time it becomes easier to attack once again. And most of all, you cannot protect everyone.
You cannot teach everyone in behaving securely. So, well, as I said, this is often the entry point of attacks, and the information, the aim is what the previous speaker was telling, provide personal information unknowingly, allowing access even through the physical penetrations and through the doors, personality profiling through the digital shadows, information that are leaked on the internet, and so on.
So, if this was the mass social engineering done by spam, for example, you know, everyone receives the same email, millions of copies sent on the internet. Today, instead, this is the situation. Targeted attacks.
So, it is time, by our opinion, to rethink the cybersecurity from the animal element point of view. And we started to think, what does it mean in terms of security to switch out the computers and put at the center the humans? We have to do the same type of things, evaluate the asset management. By the way, the assets are the humans themselves also. Do the penetration testings, do the vulnerability assessments, harden the systems, and so, and calculate the risks, of course, of humans.
So, there are a lot of activities. I will not go through all of them, by the way, because it was the topic of one talk done in the cybersecurity leadership in November 2022, in which I presented this picture.
So, in a way, the point is just to read the title. Spatial education track and training as a defense instrument to reduce cyber risks. That is the topic of today, okay? How to deal with training as a defense instrument and how to concretely measure the impact, not on the knowledge, not on the behavior, but on the cyber risks. That means, of course, to the point seven, evaluate the cyber risks of humans and possibly integrate with other sources of risks. That means IT and OT for the industry, okay?
And also, for example, do the threat intelligence on human layer. That is mostly open source intelligence, but it rapidly ends in legal and ethical issues, okay?
Then, spatial education tracks, and here we come rapidly to the point of the European project, CIRUS, which is funded, and then there is a roll-up just outside the room for asking contacts. So, that is especially concentrating on two wars, which are very problematic by this point of view, manufacturing and transportation, and small and medium enterprises. The joining these three variables makes a very complex war because they are always busy doing other things. They went through years and years of ineffective training.
They are completely always, let's say, constantly attacked, as I said before, because mostly manufacturing and transportation are small and micro enterprises. And then we have to reinvent not the will but the training this time to be more effective, to exploit at the same time both, let's say, psychological things that the attackers already know how to exploit. We just rented the same techniques used by criminals for trainings, yeah? If the same attacks are working to attack the people, why they shouldn't be working for protecting them, right?
Then, the challenge, the solution, special education tracks to communicate emergency. That means special, carefully taken in this way, in a specific way, and involving everyone, even the so-called gold team, that is the team that's tasked to communicate with external stakeholders, for example, the press, journalists, this type of things. Or even training as a defense instrument. The challenge here is training is a cyber risk reduction methodology. Improve the resilience of the human element. That is the aim. And we do this through learning analytics for cybersecurity and people analytics.
People analytics is a sort of, let's say, derived instrument from the learning analytics. You can imagine it as a giant blender that brings data from the human resources, from the assets values, from the roles of people, their history, the past training performances, the performance in cybersecurity exercise, blend everything together in forms and create a sort of optimized class for which the people belonging to the classrooms are all exposed at the same level of risk.
So, they deserve to be trained before others. That is the logic.
So, as I said, the CIROS project, this is the QR code, but it actually points there. It is a project, European project, which sees a lot of partners across Europe, and the intent was to create a new way, a new approach to create training content for specifically manufacturing and transportation, but possibly for any other sector. And for small, medium enterprises, because as I said before, they are under attack, they are stressed, they went through years of useless training most of the time.
So, they are even disgruntled in a way or another. And bypass their, let's say, even their anger, let's say, in a way or another, did not find trainings. Because one of the things for sure is that if training becomes a cyber risk reduction instrument, you need to have, let's say, methodologies or instruments to measure the effectiveness of trainings. A company couldn't be lucky enough to find a good trainer. They have to find a good product. That is a completely different approach to training. It is not anymore something that, well, you find a good trainer, you're lucky, okay.
No, you have to, it needs to be developed and created having fixed qualities. We are talking about the quality of software, the security of software, DevOps, DevSecOps, and this type of things. Why not to talk about the same quality, security quality of trainings? This is the same, it's a product after the end of the day. What we've done is interesting, because we conducted a survey across several companies in the two sectors that I mentioned, just to concentrate on the right part. 23 of organizations in transportation have never delivered the cyber security course. Never.
And only 15%, if they have done it, only 15% have covered the 90% of the population. So that means that even few of those that have done cyber security courses, done these courses for everyone. So there is always someone, a large part of the population, which has never been trained, okay. And the manufacturing sector is not better, not performing better, because of course, almost half of the organizations have never provided training on awareness courses in cyber security.
By the way, there is also an interesting element we started to do, as I will say later on, we in March started to deliver free courses, offer free courses within the project. So you are invited to participate, by the way. And we run pilots. The most requested type of course was the course called the cyber hygiene, personal cyber hygiene, which is a very basic course. It teaches you how to handle phishing, passwords, this type of basic stuff. It was the most requested, because they were completely unaware of anything. I'm running out of time, I know.
Oh, I can spend a little bit more. Yeah, exactly. So what everyone reported us in this type of studies is that training is not working. Training security awareness, I'm not wondering how they are done, essentially. By the way, it is the same that Mario Draghi reported in his talk about European competitiveness. So we are more or less aligned with Mario Draghi. Let me say another thing that the world are doing in this area. There are some interesting initiatives. Customized training paths are the norm nowadays.
No before, for example, do this type of things. They also have a sort of proprietary, never disclosed type of AI that evaluates these human risks, more or less. No one knows how it's working, but in a way, it is personalized. NIST coined the term human-centered cyber security, actually in 2023. Gartner Trends latest trend says security behavior and culture program gain increasing traction to reduce human risk. So there is a lot of attention in training as a security instrument.
Still, NIST launched the human-centered cyber security community of interest. They also started to, let's say, normalize some type of trainings. For example, they introduced the concept of advocacy. They started to normalize the tabletop exercises. They started to, in a way or another, standardize some training methodologies. But we went to what to go further. And we assembled all together in this project in this sort of recipe that is standardized and repeatable quality. Training is a product. It's not anymore an experience, something that you have to do because you have public fundings. No.
It's a product, like software, like everything else. So it needs to be constantly monitored and KPIs and quality. Instructional design applied to cyber security. Instructional design is a very standard, let's say very, no, but it's a standard approach to create training programs.
In USA, it's very much used, but nowhere almost is used in cyber security. It's used for other training contexts. So it is interesting to apply in cyber security because cyber security has some peculiar aspects because it's not only about learning something. It's about learning to do something in a different way. And it's to consider thinking, cognitive styles, these type of things. So not for everybody. Not in the same way. Differentiate learning, training, and awareness. There are different things. Suitable pedagogical models.
So we started to use, for example, that is the equivalent of pedagogy, but for others. Others think in a different way. They are already working. They have different mindset goals and habits. They need to be trained in a different way. The paradigm here is androgyny. There is another one, which is called a which is even different. So this type of big pedagogical paradigms. The use of clarity of language. For example, there's an interesting ISO. I don't know how many of you know it. There is 24495 that is about clarity of language.
In whatever media you are using, written text, videos, audios, whatever, there are clear rules to write in a comprehensible way. Then keep up to date. Continuous integration, continuous development. You know what it is in software, okay? Why not to have at the same time in training? Cybercrime is moving fast. Training is now moving fast as well. Training programs remain the same for a whole year most of the time.
Chunking, nudging, that means digestible pills. Persuasive education. Cyber advocates, human census network, crowdsourcing. I called it beyond the Gutenberg model. Gutenberg was the inventor of press. That means you have an authoritative source of knowledge, like in the classroom. There is the professor and there is the classroom. So it's one too many. Here it becomes many too many. Measurable economic returns, return of training investments, ROTI. What does it mean? It's not that developed. The last ROTI model is the Kirkpatrick model, which was developed in the 50s.
So you can imagine, relatively old. Human risk model, machine learning algorithms to link training and cyber risk management. That is very important for the CISO, for example. And exploit AI. Today's creative learning is very easy. Easy to product, learning analytics, clustering, human census network, automatic association, and so on. And I end with the last slide in which there is pure code to download. There is a white paper we wrote in the collaboration with the project that handles all these topics together. It's a 40-page document, more or less.
So if you want to download this, you are welcome. And it was the last one. Thank you very much. That was really interesting. That's the reason why I did not really interrupt you and blah, blah, blah. So that was really nice. Thank you very much.
