Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

A Security Scanner for Human Vulnerabilities

A tool designed to test key employees with benign phishing messages aims to reduce the risk of corporate data breaches.

Many damaging data breaches begin with someone making a mistake, like giving away a password or opening a malicious e-mail attachment.

Data breaches like the one that hit the Pentagon’s e-mail system this week often start when one person makes a simple mistake like opening a phishing message. But the computer security industry is mostly built on tools that probe, patch, or scrutinize software rather than human errors.

Laura Bell, CEO of SafeStack, a security company in Auckland, New Zealand, thinks she has a way to address that discrepancy. She’s developing a kind of security scanner for people, in the form of software called Ava. It sends people targeted e-mails or social-media messages to see how good they are at resisting the scams that lead to dangerous breaches.

“If I’m the attacker, I’m going after the people,” says Bell, who presented Ava at the Black Hat computer security conference Thursday. “People are the path of least resistance, and we have to do something about it.”

Ava takes in data from corporate IT systems to map out the permissions that employees have and assess how frequently they communicate with each other. It also looks for employees’ social-media profiles and the connections between them, which can highlight key relationships that might be valuable to an attacker.

Ava can then be used to send phishing-style messages to employees to test how they respond. There might be a message from a senior executive asking a junior employee for a password, for example, or one from a distant coworker dropping the name of a friend and asking for a work document to be shared via Facebook.

The security industry does have some established ways to try to rein in what are called social-engineering attacks. Security training has become standard at many large organizations, and some companies occasionally stage phishing attacks to drive home the risks of fake e-mail. But Bell says the continual stream of breaches caused by human slip-ups shows that education doesn’t work. Meanwhile, companies that perform phishing tests are rare, and they are generally one-off, manual exercises, she says.

Ava is intended to let organizations probe communication patterns and key relationships continually, says Bell—resulting in something more like an automated defense system such as a firewall. That could make it possible to track changes in a company’s level of human vulnerability over time, perhaps uncovering relationships to project deadlines or training events, she says.

However, Ava is still a work in progress. Bell has tested the software with a few small public- and private-sector organizations in New Zealand, and the team working on the software has grown. Now a newly formed ethics and privacy board is considering the legal and privacy issues that surround intentionally tricking people.

Weren’t able to make it to the Business of Blockchain event this year? Catch up with our coverage of the event.

Watch video now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.