Skip to Content

A Security Scanner for Human Vulnerabilities

A tool designed to test key employees with benign phishing messages aims to reduce the risk of corporate data breaches.
August 7, 2015

Data breaches like the one that hit the Pentagon’s e-mail system this week often start when one person makes a simple mistake like opening a phishing message. But the computer security industry is mostly built on tools that probe, patch, or scrutinize software rather than human errors.

Laura Bell, CEO of SafeStack, a security company in Auckland, New Zealand, thinks she has a way to address that discrepancy. She’s developing a kind of security scanner for people, in the form of software called Ava. It sends people targeted e-mails or social-media messages to see how good they are at resisting the scams that lead to dangerous breaches.

“If I’m the attacker, I’m going after the people,” says Bell, who presented Ava at the Black Hat computer security conference Thursday. “People are the path of least resistance, and we have to do something about it.”

Ava takes in data from corporate IT systems to map out the permissions that employees have and assess how frequently they communicate with each other. It also looks for employees’ social-media profiles and the connections between them, which can highlight key relationships that might be valuable to an attacker.

Ava can then be used to send phishing-style messages to employees to test how they respond. There might be a message from a senior executive asking a junior employee for a password, for example, or one from a distant coworker dropping the name of a friend and asking for a work document to be shared via Facebook.

The security industry does have some established ways to try to rein in what are called social-engineering attacks. Security training has become standard at many large organizations, and some companies occasionally stage phishing attacks to drive home the risks of fake e-mail. But Bell says the continual stream of breaches caused by human slip-ups shows that education doesn’t work. Meanwhile, companies that perform phishing tests are rare, and they are generally one-off, manual exercises, she says.

Ava is intended to let organizations probe communication patterns and key relationships continually, says Bell—resulting in something more like an automated defense system such as a firewall. That could make it possible to track changes in a company’s level of human vulnerability over time, perhaps uncovering relationships to project deadlines or training events, she says.

However, Ava is still a work in progress. Bell has tested the software with a few small public- and private-sector organizations in New Zealand, and the team working on the software has grown. Now a newly formed ethics and privacy board is considering the legal and privacy issues that surround intentionally tricking people.

Keep Reading

Most Popular

This startup wants to copy you into an embryo for organ harvesting

With plans to create realistic synthetic embryos, grown in jars, Renewal Bio is on a journey to the horizon of science and ethics.

VR is as good as psychedelics at helping people reach transcendence

On key metrics, a VR experience elicited a response indistinguishable from subjects who took medium doses of LSD or magic mushrooms.

This nanoparticle could be the key to a universal covid vaccine

Ending the covid pandemic might well require a vaccine that protects against any new strains. Researchers may have found a strategy that will work.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.