Human Firewall Simulator for Enhancing Security Awareness against Business Email Compromise

Abstract

Chief executive officers (CEOs) can turn out to be the weakest link to an organization’s security and attackers know that if they successfully exploit or impersonate someone who has a high level of access like CEOs or chief finance officers (CFOs), they instantly gain great advantage. The problem comes when attacker manages to take control of email accounts of the CEOs and CFOs and sends an email to another staff in the organization, he/she is likely to take it seriously, act accordingly and quickly as possible, and may be wire cash to an account directed by the “CEO/CFO,” and/or get away with private or sensitive corporate information. Because of the nature of these attack methods, detection and protection are very difficult since the attackers take advantage of the human weakness which is the weakest link. The main aim of this study is to provide a solution to protect every surface of the organization. By developing a human firewall, working with the already existing technical solutions offers the solution to remaining problem of human weakness. This research developed a simulator to train the users with the latest trends the attackers are using making them do it right (flagging, reporting, not clicking suspicions links) and making email security part of their responsibility. This makes employee become human firewall. The results from the simulator are displayed in charts as number of employees who passed the test, number of employees who will click on the malicious links, number of employees who will download the dangerous attachments, number of employees who will reply to phishing emails, average awareness of the organization, and how individual employees performed. While organizations have made progress over the years, security is a never-ending process that requires improvement day by day. Since no one in the organization’s structure is immune including the top most in the cadre (i.e., CEO), complexity in understanding and awareness creation is more wanting than before. Integrating human firewall into existing security measures as the last line of defense in email communication against business email compromise frauds offers this solution because it has preventive as well as reactive measures both geared toward maximizing email security. A simulation of the attacks to analyze the user involvement to breaching the security followed by an evaluation simulation after integrating human firewall to the organization’s email security shows success level. The results from the test show the different success levels, that is, results from pre-assessment definitely show low success level since staff/employees have not been made aware/trained to profile or flag compared to when the employees/staff have gone through the training/awareness. Post-assessment indicates high success level because actions from employees turned into human firewall know how to take proper action, for example, flagging, not clicking malicious links. The organization should update its policies to accommodate and reinforce rules on the employees to ensure that the tool is used regularly and actions taken on user deemed a threat to the organizational email security.

Received: 19 September 2022 | Revised: 11 January 2023 | Accepted: 17 January 2023

Conflicts of Interest

The authors declare that they have no conflicts of interest to this work.