Think about castles and their defenses. They had high walls designed to keep intruders from entering, and some were even surrounded by moats.² The walls were made of thick stone, sometimes in layers, to ensure they are not easily demolished, thus exposing the inhabitants. An example of a layered wall structure would be stone layers surrounding an inner core of rubble. If you go to the Coliseum in Rome and visit the nearby archaeological excavations, you can see very nice examples of this type of layering, albeit using brick for the outer layer rather than stone. Turrets and perches on top of the walls enabled the defenders to fire upon invading armies from their relatively safe position. Entry through the wall was limited. Modern physical defenses offer similar methodologies in design and intent: to provide layers of protection. From barbed wire fences and guard towers to motion sensors and missile defense units, the layers remain in today’s guarded structures.

Today, we extend these concepts of protections and defenses to not only physical structures but also to data and the systems that process data. The things we worry about include proprietary information, national defense data, personal identifiable information, and financial data. As individuals, we worry about our sensitive information, financial data, and login credentials. Using a layered-defense model helps us manage what we do to protect data and the infrastructure that supports it. For example, technologies such as firewalls, intrusion detection systems, traffic analyzers, and other tools are commonplace in the typical large organization. All of them work together to create this layered-defense capability.

It is also important to consider the span, or breadth, of the defense strategy. It makes no sense to have multiple tools or methods that all accomplish the same thing in the same way. Simply layering multiple defense tools on top of one another, if they are all configured and intended to prevent the same single action, is not a sufficient method of providing layered defenses. You can think of the spanning issue as “defense in breadth,” as an important corollary to defense in depth.

Malicious messaging can very much benefit from applying this model of defenses. While there has been significant research and investigation into automated tools to detect and eliminate the threat presented by malicious messaging, the reality is that the problem is still only partially helped by such technologies. Automated tools are very effective at protecting standardized automated processes (processes that are highly deterministic in nature) but are only helpful at best when protecting a more subjective process, like how we think or react. Our brains do not work in the same manner as a computer. A better way of stating this is that computers only poorly approximate the amazing complexity of organic neural processes. Computers think in 1s and 0s, true or false, a situation is or it is not. Further, they execute programs that are generally static in nature—the programs do not change, and should not change because the tasks that the program is designed for do not change. If a program is supposed to add 2 and 2, the answer should be 4 every time. While the human brain can indeed compute 2 + 2 systematically and correctly over and over again, the brain can also do other things, such as interpret implied situational symbology, such as that of 2 parents plus 2 children making a family. Human answers to questions can be situational, derived from a mixture of logic, comprehension, and emotion. It is common to not feel completely positive that an answer might be “X” or “Y” but rather view the solution as some mixture of the two. This tendency is precisely what the senders of malicious messages try to exploit. Therefore, an appropriate defensive solution ought to include both a technical defense zone as well as a human defense zone: your brain plus some helpers. These layers of defense can then be used in such a way as to take advantage of the strengths of the two while attempting to mitigate the weaknesses of both.

Conceptually, your defense structure contains six layers across two primary zones. Think of this as the “Malicious Messaging Layered Defense Framework” or MMLDF. This framework provides you with a guide to better consider and approach the task of defending the network from technical attacks based on social weaknesses or vulnerabilities. One zone is a layer of automated tools designed to detect, prevent, and warn users of potential danger. We can call this zone the technology zone. Another zone is all the things that need to be done by human. We can call this zone the human zone. Within each zone lie the elements that need to be included in a broad and deep defensive strategy. These are the categories, three in each zone, that can be considered layers in the defense. Each is intended to empower the user to make better and more informed decisions as they mull through legitimate and illegitimate requests. A key attribute of this framework is that it is technology independent: no specific tools or approaches are listed within this framework. This is because it is intended to act as a framework and not as a solution.

The human zone contains the following three categories: psychology, awareness, and culture. The technology zone contains these three categories of toolsets: prevention, warning, and detection. Together, these six categories provide the structure for creating a holistic and robust management approach to containing the problem of malicious messaging.

Categories provide the structure for structuring the finer details of the framework. They help you understand how to approach and analyze each part of the problem appropriately. The MMLDF framework is intended to guide the development of defense in depth and breadth, where the breadth comes from the various categories and the depth is provided within each category. For large organizations, a categorical defense structure (CDS) is useful to help the organization consider appropriate layers of depth for each categorical layer of breadth.

The CDS is where the MMLDF addresses the defense in depth. Whereas the main framework primarily considers the breadth of attacks, the CDS addresses the depth of the defense structures. Since this framework is designed to be adapted to each environment and each organization, be it a secret and secure environment or a more open and public space, each implementation would be appropriate to the environment. This approach is inspired by John McCumber’s model for risk management, a seminal work in the security community.³ The idea is that any comprehensive approach should include a policy perspective, an education and training perspective, and a technological perspective. This way all elements are considered together and consequently designed to work together. The implication is that any problem is best protected by utilizing a multi-pronged approach that encompasses the various tools at the fingertips of individuals, managers, and organizations, with solutions that are appropriate to each challenge.

Administrators of such a framework should bear in mind that these three mitigations tactics may not be solved, individually, with a single tool or training. The best practice applied in any of the given strategies may require two or more assets to achieve a desired level of protection. For example, if I were an administrator seeking to establish secure login procedures into my network, I would likely need to establish multiple policies to do so. I might need a password policy that talks about proper length, strength, and usage of any password set in my system. I might also require a policy establishing what privileges users should have into the various resources offered by my organization. I might also require a policy establishing where and when it is acceptable for me to log into those resources. Other more pointed policies might be deemed necessary on top of those already defined for me to achieve my desired level of security. The same constraints may also require the use of multiple technologies to enforce such a mitigation strategy and multiple avenues for training and education to raise the awareness to a sufficient level. In the end, the answer is not about finding the perfect tool to solve the problem, but rather, finding a great solution among a suite of tools and tactics that achieves the stated goal. It is about finding a depth of solutions that works best for that specific environment in that specific organization at that particular point in time, and adjusting those solutions as time moves forward. It is about solving the issue, not from a single standpoint or point of view, but rather considering all approaches that could be integrated into a more robust solution.

To use the framework, simply consider all the categories in each zone and identify what is in each category already. Then identify what needs to be done (if anything) to make the situation better.

In the human zone, the categories combine to describe how people feel and act. The organizational culture will dictate to a large extent what types of behaviors are expected, appreciated, and rewarded, as well as what types of behaviors are discouraged or punished, either formally or informally. The psychology of how each individual integrates into the environment is strongly related to culture, but focuses more on how empowered each person is in contributing to identification of problems. These two categories can be changed, but slowly and only with a great deal of effort. Awareness, on the other hand, is fairly easy and has a potentially large return on investment. Simply making individuals aware of problems that might occur can reduce the actual occurrence of problems. So an easy first step is to create an awareness program that integrates knowledge sharing into the creation of a culture of protection.

In the technology zone, the categories speak to the general functions that technologies should be considered for. Prevention, warning, and detection tools are available, but, as with all technologies, they cost money. The costs are not simply associated with acquisition, but also with continued operations, with integration into existing infrastructure, with training the people who operate the technology, and with eventual upgrades. Investing in technologies is important, but should be done carefully.

Like other aspects of information security, technological tools can, and should, be layered with depth and breadth in mind, thus providing adequate and best protection. However, we must carefully assess the value of the assets being protected in order to make an appropriate business decision on the amount of time and money invested into an acceptable risk factor. Most organizations are not in the business of security alone. Corporations and other businesses exist not to protect data and assets but rather to make money. Government entities provide services, infrastructure, and protection to its citizens, not just cyber security upon its environments. Very few cases feature information security as the primary goal of the firm. With that in mind, it would make very little sense for an organization to spend tens of thousands of dollars on defense technology if the asset itself only has an intrinsic value of $5000. A financial analysis must accompany the security analysis when deciding on technology or any other mitigation tactic.

Similar to the need for a financial analysis accompanying the security analysis, so should the organization consider change management and the human side of implementing technological tools. Questions like “how will this impact my users?” and “will the culture of my firm, in its present state, accept such an implantation?” need to asked and addressed before pursuing and implementing any type of technological toolset. I recently attended a forum where IT restructuring was discussed as part of a greater topic. During the course of that conversation, a participant told of a recent experience she had while working at a national laboratory. Their management had decided to move from a legacy email system to the more modern Gmail platform. What seemed like a simple change was met with great resistance. Eventually, the initiative failed and the lab reverted to its former legacy system. The change failed because the company culture was well established in the ideal of an unchanging environment. Workers who had been there for 20+ years had grown accustomed to their workplace environment and toolsets, and had come to expect an unchanging atmosphere. Thus, when even a simple change in their technologies was presented, they rejected it in favor of what they had come to know and expect.

One of the areas rarely discussed as a mitigation tool is that of a firm’s culture. Culture within an organization represents the norms and unenforced behaviors that exist among the people that make up the organization. Culture within the firm can affect the way people feel toward the organization and toward each other. It may influence desires and aspirations and can even determine the likely actions of an individual. The company culture may determine how one responds to an event or plans their normal routine. It may influence the level of loyalty and dedication one feels toward their organization and specifically toward their job.

Perhaps one of the reasons that culture is rarely discussed as a mitigation tool is because it can be a two edged sword. When an organization enjoys a cohesive company culture, the variables that are affected by culture act in a positive manner, but when a firm experiences a distracting culture those same variables can be unpredictable and sometimes detrimental. For example, an assembly line worker in a company with a strong culture of quality and excellence may see a defect in a product and decide to remove that product and report the defect to the engineering depart for analysis. Conversely, that same worker in a company with a weak culture that reflects a lackadaisical attitude may allow the same product to continue to move down the line and out the door to market, giving little thought or care to the end customer whom would receive it.

Culture can also affect, for better or worse, the way cyber threats are handled within the organization. For example, rather than an assembly line worker let us suppose that the employee is now a marketing supervisor who receives a somewhat suspicious email from an old account representative. She notices that the email did not come from the company’s email platform and that it is asking her to follow a link to a third party site in order to update information for a project that was completed last month. Upon following the link to the third party site, she is presented with a verification page asking her to use her company credentials to verify her identity. She recognizes this as a phishing attempt and, in a weak company culture, thinks nothing more of it than to disregard the email. However, in a strong culture of awareness and security she might alert the systems administrator or security staff and forward the example on to them as well. This would enable the security staff to review the threat and send out warnings to the rest of the organization, thus better defending the organization as a whole against this cyber threat.

Creating a strong organizational culture can seem like a daunting task at the onset, but much in the way of research and study has been done to help one work through the process. It is important to focus on two key factors. The two key factors are (1) a rewards system and (2) the idea of psychological safety. In many change management frameworks, the idea of rewards is common. While many researchers agree that a reward system of some type is recommended, at least one warned of the dangers of a misguided one. A misguided reward system is one that focuses on elements that are not critical to mission success. Even if those elements are important in some way, structuring a reward system focused on them distracts people from what is truly important. Therefore, it is important to make sure the reward system emphasizes the critical elements.

In business strategy, there is concept that “intended” strategy often differs from “realized” strategy. In other words, what we say we value or are going to do does not always align with our actions or what we actually do. Often, what actions or events a firm rewards is not in accordance with what they claim to value. An organization that claims to value employee safety might reward a manager for reducing company costs by reducing the number of safety officers in that organization. Another firm that promotes honesty as one of their values may reprimand an employee who refuses to endorse a project that hides funds in offshore accounts in an effort to evade taxes. In security, if we are to gain the trust of our users then we must ensure that our rewards coincide with our message. If we value reporting, then we cannot reward users for minimal incidents reported throughout the year. We also must be careful how and when we punish those who self-report incidents they became involved in, which leads to the second point: psychological safety.

Psychological safety is simply the reflection that people feel safe doing what they think is right. Members of the team feel comfortable in expressing their beliefs and making decisions that present a moderate degree of risk without fear of reprisal from other team members or management. They feel confident in speaking open and freely, expressing their thoughts and concerns to coworkers, team members, and/or management. This is a critically important factor in developing cohesive team activities.

The same applies to an organization that hopes to include reporting as part of their mitigation strategies against cyber threats, specifically malicious messaging. Users should feel encouraged by the organizational culture to report such attacks to those who can evaluate the attack and propagate warnings out to the rest of the firm. They need to feel a level of comfort and safety from reprisal in so doing. Great benefits can be gained when a company and its resources, human or otherwise, are able to work together and share information in an effort to further their success.