A portable hard disk containing 29,000 Facebook employees payroll data including ID number and bank information got stolen in a car park.
It was reported by Bloomberg on Friday (13 Dec 2019) and later confirmed by Facebook. As a listed company involved collecting and selling data, even Facebook cannot protect its employee personal and sensitive data.
The news report indicated one of the employees who is responsible for payroll processing took the data home from work and the car got robbed. Facebook spokesperson said this employee action was violating company policy and would subject to disciplinary action.
We have seen this type of reckless employee incident thousands times, either in news or from our personal experience. Employee intentional or accidental action is the single gravest risk in cybersecurity, according to surveys. Researchers at Centre for Software Reliability School of Computing Science University of Newcastle studied this phenomenon from a cognitive science perspective, in their paper "Computer Security Impaired by Legitimate Users" and they quoted an nuclear plant accident in Japan Tokaimura. Engineers were moving 15kg of uranium and they decided to replace their required procedural equipment with a similar but larger size container in order to speed up the process.
According to the research,
"In hindsight, we speculate that the operators have traded-off productivity and practicality against risk. As their knowledge about critical uranium masses was poor, they were unaware that they were crossing a safety boundary. This case is an instance of how trade-offs can go wrong."
This phenomenon is due to the limitation of human mind and its bounded rationality.
"Bounded rationality is accepted that human actions do not reach perfection but instead seek an acceptable level of performance with respect to their goals and what the cognitive resources allow. The fact that the cognitive system never aims at handling all the data available in the environment is a central aspect of the cognitive resources saving strategy."
How cybersecurity engineering should integrate cognitive science and develop human centric security protection is a topic that the team at Hoplite Technology has been studying vigorously in the recent months. Employees in the hustle and competitive market must make trade-off. In our last post regarding password mirage, we explained with other examples of employees improvising and sharing password after company restructuring. The Facebook, Tokaimura nuclear plant and password sharing incidents clearly shown that risk perception matters most. According to the same report of University of Newcastle,
"However, humans are typically biased at perceiving actual levels of risk and rarely have an exhaustive knowledge of the systems they interact with."
We believe it is important to train and instill security mindset in employees. Such mindset change training is different from traditional security awareness trainings which mostly are compliance driven and focus on repeating DON’T / DO list. We would like to help employees become cybersecurity mindful.
We hope to bring some positive changes and enable employees to practise cybersecurity in their daily routine.
Stay tuned and subscribe to our email list below to get more update on Cybersecurity Mindfulness.