All cyberthreats originate with a person. It is people who act in unsafe or malicious ways which drives the security risks across our digital lives. It may seem an unusual way to look at the problem of cybercrime, data breaches, and intentional service outages, but that is the hidden truth in computer security. Humans and technology are intertwined. It is an unpopular sentiment as technology is an easy culprit to blame. It is a simple story when fault can be described as a code vulnerability, weak passwords, or a system hack. These are straightforward problems with equally straightforward fixes. But in fact, our electronic ecosystem of devices and software, simply represents the playing field where the battle is fought. Regardless if it is a careless employee, cybercriminal, or nation state cyberwarrior, people are the genesis of all risks.
Sun Tsu provided insights over two thousand years ago, which remains relevant “Know your enemy and know yourself and you can fight a thousand battles without disaster”.
The Intel security team has released a whitepaper Understanding Cyberthreat Motivations to Improve Defense which builds upon previous work to help understand different types of attackers. It is only through the understanding of both the threat agents and the technology, can a truly comprehensive and sustainable security be achieved.
Full disclosure: I am a true believer and have spent much of my career expounding the need to pay attention to both the technical and behavioral aspects of cybersecurity. I am a member of the Intel Threat Agent Library team, developed the Threat Agent Risk Assessment (TARA), and have used both successfully to understand and manage risks across projects both enormous and small. I know the value of understanding ones enemy and am resolute in my position is it an absolute necessity to maintain a sustainable and optimal security posture. So in all fairness, take my position as one of an advocate and temper it accordingly.
I urge you to download the white paper and consider adding threat agent perspectives into your risk assessment processes.