The below information was provided by Lance Spitzner, founder of www.securingthehuman.org

Ten to Fifteen years ago hacking a computer was easy, as they had no firewalls, no memory minimization, no anti-virus.  It was considered the Wild, Wild West of hacking computers.  Fast forward to present day and the default installation of any OS is actually very secure.  Windows 7 or 8 installed, plugged in to the Internet would take a hacker months or even years before they could attack the system.

 Cyber attackers are now attacking human beings

The current risk we are now facing is when the human touches the keyboard of a computer system.  The human is responsible for opening attachments, downloading files, and inserts USB sticks.  Why are computers so secure and yet the people who operate them not?  Think about it, computers store, process and transfer information that is very valuable to your organization.  People also store, process and transfer information that is valuable to your organization.  They are nothing more than a human OS.  The problem is we have done nothing to secure the human OS over the last 10-15 years.  It could be said that the human OS is similar to Windows NT when it was released.  It had no anti-virus, no firewalls, etc….  On a humorous side note, one of my former techy friends stated the "NT" in Windows NT stands for “Nice Try.” 

Unfortunately, the human OS is “happy to share.”   We freely share on FaceBook about that huge promotion at work, photos of our kids, food we are eating, movies we like.  Cyber attackers will take this information and tailor customized emails based on your interest and send links and attachments for you to click and download.  If you do fall prey to this attack, the attacker can then infiltrate your network and you could be the next headline news story of a computer hack.

Your Organization invests lots of money into securing their computer systems:

  • Full Disk Encryption
  • Two factor authentication
  • Automated patching

Chances are your organization invests $100-200 per computer.  How much is your organization investing in the human OS?  The average Security Awareness Program budget is less than $10,000 a year.  We’ve done nothing to teach and educate the human OS to change their behavior.

When a user is surfing the Internet, or clicking links in emails, they under estimate the risk, as they are under the impression “they” are in control.  Getting hacked is like heart disease, it’s a silent killer.    We need to address these risks so humans will change behavior.

The top 7 Human Risks are:

  1. Phishability
  2. Password re-use across sites
  3. Not patching or updating devices (BYOD) Bring Your Own Device.
  4. Indiscriminate use of mobile media
  5. Sharing too much personal/work information on Social Networking sites
  6. Lack of situational awareness
  7. Accidental disclosure/loss of information such as losing your laptop or misplacing documents with Personal Identifiable Information on them.

Most Security Awareness programs are filed with an individual in Information Security, someone with technical skills.  It’s usually manned on a part-time basis and the individual managing the program will have to juggle other IS related tasks, such as compliance.  Security Awareness Programs need someone with a skill set of an Advertiser or Marketer, someone who knows how to sell the program to a large enterprise. 

For FREE information on how to build an effective, engaging Security Awareness Program, visit


Enjoy the full presentation on youtube.com from Lance Spitzner ,  found of the SANS Institute  and   
www.securingthehuman.org  speaking at  a recent RSA Conference on the subject of the Human OS.