CHEAT, an approach to incorporating human factors in cyber security assessments

Abstract

The human element has been identified as a contributing factor in over 95% of all security incidents. Current technical risk assessment methodologies, such as the IS1-2 Supplement, go some way to quantifying the characteristics of a non-malicious insider attacks, based on a historical understanding of the user group, organisational security culture and past security breaches. However, the approaches don't fully consider the Psychological motivations that give rise to human error in cyber-security scenarios. Applied knowledge of human limitations and cognitive biases was used to derive a structured approach to capturing typical human errors as part of cyber-security assessments. By recognising the Psychological root causes behind human errors in cyber-security scenarios we can identify appropriate risk management and mitigating strategies; in the same way that Human Reliability Analysis (HRA) tools, such as the Human Error Assessment and Reduction Technique (HEART), are crucial in mitigating human error as part of safety case evidence. This paper presents the Cyber Human Error Assessment Tool (CHEAT); a structured approach to address HF considerations in cyber-security assessments.