• Home
  • About RSIS
    • Introduction
    • Building the Foundations
    • Welcome Message
    • Board of Governors
    • Staff Profiles
      • Executive Deputy Chairman’s Office
      • Dean’s Office
      • Management
      • Distinguished Fellows
      • Faculty and Research
      • Associate Research Fellows, Senior Analysts and Research Analysts
      • Visiting Fellows
      • Adjunct Fellows
      • Administrative Staff
    • Honours and Awards for RSIS Staff and Students
    • RSIS Endowment Fund
    • Endowed Professorships
    • Career Opportunities
    • Getting to RSIS
  • Research
    • Research Centres
      • Centre for Multilateralism Studies (CMS)
      • Centre for Non-Traditional Security Studies (NTS Centre)
      • Centre of Excellence for National Security (CENS)
      • Institute of Defence and Strategic Studies (IDSS)
      • International Centre for Political Violence and Terrorism Research (ICPVTR)
    • Research Programmes
      • National Security Studies Programme (NSSP)
      • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
    • [email protected] Newsletter
    • Other Research
      • Future Issues And Technology (FIT)
      • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
    • Graduate Programmes Office
    • Overview
    • MSc (Asian Studies)
    • MSc (International Political Economy)
    • MSc (International Relations)
    • MSc (Strategic Studies)
    • NTU-Warwick Double Masters Programme
    • PhD Programme
    • Exchange Partners and Programmes
    • How to Apply
    • Financial Assistance
    • Meet the Admissions Team: Information Sessions and other events
    • RSIS Alumni
  • Alumni & Networks
    • Alumni
    • Asia-Pacific Programme for Senior Military Officers (APPSMO)
    • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
    • SRP Executive Programme
    • Terrorism Analyst Training Course (TATC)
  • Publications
    • RSIS Publications
      • Annual Reviews
      • Books
      • Bulletins and Newsletters
      • Commentaries
      • Counter Terrorist Trends and Analyses
      • Commemorative / Event Reports
      • IDSS Paper
      • Interreligious Relations
      • Monographs
      • NTS Insight
      • Policy Reports
      • Working Papers
      • RSIS Publications for the Year
    • Glossary of Abbreviations
    • External Publications
      • Authored Books
      • Journal Articles
      • Edited Books
      • Chapters in Edited Books
      • Policy Reports
      • Working Papers
      • Op-Eds
      • External Publications for the Year
    • Policy-relevant Articles Given RSIS Award
  • Media
    • Cohesive Societies
    • Great Powers
    • Sustainable Security
    • COVID-19 Resources
    • Other Resource Pages
    • Media Highlights
    • News Releases
    • Speeches
    • Vidcast Channel
    • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
Facebook
Twitter
YouTube
RSISVideoCast RSISVideoCast rsis.sg
Linkedin
instagram instagram rsis.sg
RSS
  • Home
  • About RSIS
      • Introduction
      • Building the Foundations
      • Welcome Message
      • Board of Governors
      • Staff Profiles
        • Executive Deputy Chairman’s Office
        • Dean’s Office
        • Management
        • Distinguished Fellows
        • Faculty and Research
        • Associate Research Fellows, Senior Analysts and Research Analysts
        • Visiting Fellows
        • Adjunct Fellows
        • Administrative Staff
      • Honours and Awards for RSIS Staff and Students
      • RSIS Endowment Fund
      • Endowed Professorships
      • Career Opportunities
      • Getting to RSIS
  • Research
      • Research Centres
        • Centre for Multilateralism Studies (CMS)
        • Centre for Non-Traditional Security Studies (NTS Centre)
        • Centre of Excellence for National Security (CENS)
        • Institute of Defence and Strategic Studies (IDSS)
        • International Centre for Political Violence and Terrorism Research (ICPVTR)
      • Research Programmes
        • National Security Studies Programme (NSSP)
        • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      • [email protected] Newsletter
      • Other Research
        • Future Issues And Technology (FIT)
        • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      • Graduate Programmes Office
      • Overview
      • MSc (Asian Studies)
      • MSc (International Political Economy)
      • MSc (International Relations)
      • MSc (Strategic Studies)
      • NTU-Warwick Double Masters Programme
      • PhD Programme
      • Exchange Partners and Programmes
      • How to Apply
      • Financial Assistance
      • Meet the Admissions Team: Information Sessions and other events
      • RSIS Alumni
  • Alumni & Networks
      • Alumni
      • Asia-Pacific Programme for Senior Military Officers (APPSMO)
      • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
      • SRP Executive Programme
      • Terrorism Analyst Training Course (TATC)
  • Publications
      • RSIS Publications
        • Annual Reviews
        • Books
        • Bulletins and Newsletters
        • Commentaries
        • Counter Terrorist Trends and Analyses
        • Commemorative / Event Reports
        • IDSS Paper
        • Interreligious Relations
        • Monographs
        • NTS Insight
        • Policy Reports
        • Working Papers
        • RSIS Publications for the Year
      • Glossary of Abbreviations
      • External Publications
        • Authored Books
        • Journal Articles
        • Edited Books
        • Chapters in Edited Books
        • Policy Reports
        • Working Papers
        • Op-Eds
        • External Publications for the Year
      • Policy-relevant Articles Given RSIS Award
  • Media
      • Cohesive Societies
      • Great Powers
      • Sustainable Security
      • COVID-19 Resources
      • Other Resource Pages
      • Media Highlights
      • News Releases
      • Speeches
      • Vidcast Channel
      • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
  • instagram instagram rsis.sg
Connect

Getting to RSIS

Map

Address

Nanyang Technological University
Block S4, Level B3,
50 Nanyang Avenue,
Singapore 639798

View location on Google maps Click here for directions to RSIS

Get in Touch

    Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
    RSISVideoCast RSISVideoCast rsisvideocast
      school/rsis-ntu
    instagram instagram rsis.sg
      RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    RSIS Intranet

    S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
    Nanyang Technological University Nanyang Technological University

    Skip to content

     
    • RSIS
    • Publication
    • RSIS Publications
    • Cyber Security: Beware the Human Factor
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • Commentaries
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • IDSS Paper
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers
    • RSIS Publications for the Year

    CO19153 | Cyber Security: Beware the Human Factor
    Edwin Hooi

    02 August 2019

    download pdf
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    The recent major data security breaches reported in Singapore’s public sector over the period of April 2018 to March 2019 may have exposed the “soft underbelly” of Singapore’s national security. Whilst a force multiplier, technology should not eclipse the human factor in cyber security.

    COMMENTARY

    ON 31 MARCH 2019 Prime Minister Lee Hsien Loong convened the Public Sector Data Security Review Committee. Subsequently on 15 July 2019, this was followed up with the Smart Nation and Digital Government Office (SNDGO) announcing the roll out of 13 new cyber security measures as part of a common cyber security framework to be adopted by all government agencies.

    While these are important first steps in the cyber security arms race, a significant challenge that will continually be faced by the SNDGO and possibly all cyber security defenders at large, would be the temptation of viewing the cyber security issue through a technology-biased lens. There is also the notion that cyber security is largely a technical matter which can be addressed with the best technology. The report by the Committee of Inquiry (“COI”) on the Singhealth data breach highlighted that “vulnerabilities in human assets can be just as dangerous as those in information systems”.

    Human Error as a Key Factor

    On 29 January 2019, six months after the Singhealth data breach, confidential records of 14,200 people who had been diagnosed with HIV were stolen from the Singapore Ministry of Health (‘MOH’) and leaked online. In what may be considered a “classic” insider attack, the perpetrator had allegedly gained access to the confidential records by exploiting a personal relationship with a Singapore doctor who had authorised access to the MOH’s HIV registry.

    In March 2019, it was reported that compromised login credentials of Singapore government agency personnel were found to be leaked and put up for sale on the dark web.

    Even in the Singhealth data breach whereby the Advanced Persistent Threat (“APT”) was using advanced hacking tools, the COI concluded that it was highly likely that a phishing email, considered by experts to constitute a non-malicious or inadvertent form of insider attack, led to the initial breach of the Singhealth network security.

    Prima facie, human error or negligence was a key factor in all the said data breaches. The human factor played a dominant role whereby technology alone would not have been able to stop the perpetrators.

    The Insider Threat

    To be circumspect, some of the most serious data security breaches to-date have occurred outside of Singapore. According to the US Department of Health and Human Services website, there have been 2,667 major health data breaches affecting over 193 million individuals in the US as of March 2019 since 2009. On 30 July 2019, a major US bank, Capital One, suffered one of the largest data breaches to-date which resulted in the personal information of approximately 100 million people being stolen by a former employee of one of its cloud computing contractors.

    Arguably the most damaging data breaches would be the exfiltration of highly classified US intelligence information by Chelsea Manning in 2010 and separately by Edward Snowden in 2011. Known as “insider threats”, these incidents resulted in the US government scrambling for countermeasures and precipitated the establishment of the National Insider Threat Task Force (NITTF).

    An insider threat is defined as the potential for an insider to harm an organisation by leveraging on his or her privileged level of knowledge and/or access. The data breaches by Snowden and Manning are clear examples of what is known as the malicious insider attack. The HIV data breach in MOH could easily qualify as another example of a malicious insider attack.

    An “insider threat” may also not necessarily be driven by malicious intent; it may constitute an individual who is complacent or ignorant about security policies and procedures. A lack of training, for example, can lead to ignorance or complacency which in turn can make an organisation vulnerable to security threats. These are known as non-malicious or inadvertent insider threats.

    Hence in the case of the Singhealth data breach, the employees who opened the phishing emails and inadvertently paved the way for the initial breach into the Integrated Health Information Systems Private Limited (“IHiS”) system, could be considered as non-malicious or inadvertent insider threats.

    Importance of Organisational Culture

    Organisational culture, in which the human factor also plays a dominant role, was a key consideration in the COI report on the Singhealth data breach. The report highlighted that the delayed treatment of cyber security issues and incidents by the IHiS staff and middle management in their incident response to the data breach was largely attributed to organisational culture.

    In Amy Zegart’s study of the mass shooting at Fort Hood, Texas in 2008 by an insider which killed 13 and wounded 43, she concluded that organisational weaknesses within the Pentagon played a significant role which led to a series of failures in preventing the shooting.

    Zegart asserted that inappropriate organisational culture and processes resulted in a failure to share information and a misallocation of resources which squandered multiple opportunities to detect and thwart the attack. She called these organisational weaknesses “dark matter that lurked invisibly in the background” which were often overlooked as contributing factors in past disasters.

    Another organisational weakness was the “hidden hazard of routines” which could lead individuals in organisations to continue doing things in the same ways even though it was no longer effective or appropriate in the face of evolving and new threats.

    Case for a Holistic Approach

    As long as human participation in key aspects of organisations or systems is needed, the human factor will remain the weakest link in cyber security. With human users, invariably as insiders of the system or organisation, because of their privileged access to their organizations or systems, they will presumably have intimate knowledge of their organisation/system’s security features and consequently its vulnerabilities.

    In the context of transforming organisational culture to combat organisational weakness and mitigate the insider threat, the public sector and private sector should continue in their efforts to keep employees motivated and loyal, to build security-inclined cultures.

    Such cultures are to promote widespread employee buy-in to the need for cyber security hygiene and to incentivise employees to identify and address potential vulnerabilities. Equally important would be finding an appropriate balance between trusting employees and remaining aware of the possibility of security threats by both insiders and outsiders.

    Whilst the capabilities of cybersecurity software will continually improve with the advancement of technology, barring the advent of fully autonomous artificial intelligence (“AI”) in the likes of “Skynet” from the “Terminator” series of movies, the human factor remains a critical factor.

    The effectiveness of software will only be as good as the data input into them. Technology is undoubtedly a critical force multiplier in any security system, but at the end of the day, it is just that – a force multiplier.

    Sustained vigilance must take a holistic approach incorporating technical means as well as non-technical factors. Among such factors are insider threat mitigation and fostering a strong healthy organisational culture that is security-inclined. All this will remain necessary to address the perennial weaknesses attributed to the human factor in cyber security.

    About the Author

    Edwin Hooi is a certified consultant in Risk and Information Systems Control (CRISC). He has served clients in both private and public sectors in governance, risk management and compliance. An RSIS alumnus, he is a founding executive committee member of the RSIS Alumni Association.

    Categories: Commentaries / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / Non-Traditional Security / Global

    Last updated on 02/08/2019

    comments powered by Disqus
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    The recent major data security breaches reported in Singapore’s public sector over the period of April 2018 to March 2019 may have exposed the “soft underbelly” of Singapore’s national security. Whilst a force multiplier, technology should not eclipse the human factor in cyber security.

    COMMENTARY

    ON 31 MARCH 2019 Prime Minister Lee Hsien Loong convened the Public Sector Data Security Review Committee. Subsequently on 15 July 2019, this was followed up with the Smart Nation and Digital Government Office (SNDGO) announcing the roll out of 13 new cyber security measures as part of a common cyber security framework to be adopted by all government agencies.

    While these are important first steps in the cyber security arms race, a significant challenge that will continually be faced by the SNDGO and possibly all cyber security defenders at large, would be the temptation of viewing the cyber security issue through a technology-biased lens. There is also the notion that cyber security is largely a technical matter which can be addressed with the best technology. The report by the Committee of Inquiry (“COI”) on the Singhealth data breach highlighted that “vulnerabilities in human assets can be just as dangerous as those in information systems”.

    Human Error as a Key Factor

    On 29 January 2019, six months after the Singhealth data breach, confidential records of 14,200 people who had been diagnosed with HIV were stolen from the Singapore Ministry of Health (‘MOH’) and leaked online. In what may be considered a “classic” insider attack, the perpetrator had allegedly gained access to the confidential records by exploiting a personal relationship with a Singapore doctor who had authorised access to the MOH’s HIV registry.

    In March 2019, it was reported that compromised login credentials of Singapore government agency personnel were found to be leaked and put up for sale on the dark web.

    Even in the Singhealth data breach whereby the Advanced Persistent Threat (“APT”) was using advanced hacking tools, the COI concluded that it was highly likely that a phishing email, considered by experts to constitute a non-malicious or inadvertent form of insider attack, led to the initial breach of the Singhealth network security.

    Prima facie, human error or negligence was a key factor in all the said data breaches. The human factor played a dominant role whereby technology alone would not have been able to stop the perpetrators.

    The Insider Threat

    To be circumspect, some of the most serious data security breaches to-date have occurred outside of Singapore. According to the US Department of Health and Human Services website, there have been 2,667 major health data breaches affecting over 193 million individuals in the US as of March 2019 since 2009. On 30 July 2019, a major US bank, Capital One, suffered one of the largest data breaches to-date which resulted in the personal information of approximately 100 million people being stolen by a former employee of one of its cloud computing contractors.

    Arguably the most damaging data breaches would be the exfiltration of highly classified US intelligence information by Chelsea Manning in 2010 and separately by Edward Snowden in 2011. Known as “insider threats”, these incidents resulted in the US government scrambling for countermeasures and precipitated the establishment of the National Insider Threat Task Force (NITTF).

    An insider threat is defined as the potential for an insider to harm an organisation by leveraging on his or her privileged level of knowledge and/or access. The data breaches by Snowden and Manning are clear examples of what is known as the malicious insider attack. The HIV data breach in MOH could easily qualify as another example of a malicious insider attack.

    An “insider threat” may also not necessarily be driven by malicious intent; it may constitute an individual who is complacent or ignorant about security policies and procedures. A lack of training, for example, can lead to ignorance or complacency which in turn can make an organisation vulnerable to security threats. These are known as non-malicious or inadvertent insider threats.

    Hence in the case of the Singhealth data breach, the employees who opened the phishing emails and inadvertently paved the way for the initial breach into the Integrated Health Information Systems Private Limited (“IHiS”) system, could be considered as non-malicious or inadvertent insider threats.

    Importance of Organisational Culture

    Organisational culture, in which the human factor also plays a dominant role, was a key consideration in the COI report on the Singhealth data breach. The report highlighted that the delayed treatment of cyber security issues and incidents by the IHiS staff and middle management in their incident response to the data breach was largely attributed to organisational culture.

    In Amy Zegart’s study of the mass shooting at Fort Hood, Texas in 2008 by an insider which killed 13 and wounded 43, she concluded that organisational weaknesses within the Pentagon played a significant role which led to a series of failures in preventing the shooting.

    Zegart asserted that inappropriate organisational culture and processes resulted in a failure to share information and a misallocation of resources which squandered multiple opportunities to detect and thwart the attack. She called these organisational weaknesses “dark matter that lurked invisibly in the background” which were often overlooked as contributing factors in past disasters.

    Another organisational weakness was the “hidden hazard of routines” which could lead individuals in organisations to continue doing things in the same ways even though it was no longer effective or appropriate in the face of evolving and new threats.

    Case for a Holistic Approach

    As long as human participation in key aspects of organisations or systems is needed, the human factor will remain the weakest link in cyber security. With human users, invariably as insiders of the system or organisation, because of their privileged access to their organizations or systems, they will presumably have intimate knowledge of their organisation/system’s security features and consequently its vulnerabilities.

    In the context of transforming organisational culture to combat organisational weakness and mitigate the insider threat, the public sector and private sector should continue in their efforts to keep employees motivated and loyal, to build security-inclined cultures.

    Such cultures are to promote widespread employee buy-in to the need for cyber security hygiene and to incentivise employees to identify and address potential vulnerabilities. Equally important would be finding an appropriate balance between trusting employees and remaining aware of the possibility of security threats by both insiders and outsiders.

    Whilst the capabilities of cybersecurity software will continually improve with the advancement of technology, barring the advent of fully autonomous artificial intelligence (“AI”) in the likes of “Skynet” from the “Terminator” series of movies, the human factor remains a critical factor.

    The effectiveness of software will only be as good as the data input into them. Technology is undoubtedly a critical force multiplier in any security system, but at the end of the day, it is just that – a force multiplier.

    Sustained vigilance must take a holistic approach incorporating technical means as well as non-technical factors. Among such factors are insider threat mitigation and fostering a strong healthy organisational culture that is security-inclined. All this will remain necessary to address the perennial weaknesses attributed to the human factor in cyber security.

    About the Author

    Edwin Hooi is a certified consultant in Risk and Information Systems Control (CRISC). He has served clients in both private and public sectors in governance, risk management and compliance. An RSIS alumnus, he is a founding executive committee member of the RSIS Alumni Association.

    Categories: Commentaries / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / Non-Traditional Security

    Last updated on 02/08/2019

    Back to top

    Terms of Use | Privacy Statement
    Copyright © S. Rajaratnam School of International Studies. All rights reserved.
    This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
    OK
    Latest Book
    Cyber Security: Beware the Human Factor

    SYNOPSIS

    The recent major data security breaches reported in Singapore’s public sector over the pe ...
    more info