Sample Term Paper on The Human Element

The Human Element

In an epitome world, there would be no need for the implementation of access control tools that dictate behavior since human beings would be perfect. However, then this is not the case as human beings are prone to making errors. Such errors are often made because human nature instigates improper decision-making and encourages inappropriate behavior that puts organizations at high risk. Without proper controls then organizations would lose sensitive data that might compromise on their standing in the industry and even affect their sustainability. Organizations, therefore, feel implored to invest in access controls so as to protect sensitive information. Such access controls monitor the weaknesses of human nature and propose strategies that can mitigate on this so as to ensure efficacy in business operations.

Human nature can be defined as a sum of qualities and traits that are shared by all human beings. This nature affects relations towards one another, interpretation of events, and choices made on a daily basis. Human nature has been grounded over thousands of years in evolutionary history. Despite it affecting human decision-making process, there is the freewill of undertaking to go against that nature when it does not suit individual needs and goals. In a general sense, human nature often dictates theadherence to social norms and avoid any punishment that might arise in cases of contempt. Some individuals chose to violate these norms simply because of the perception of no other viable means. Others who break them believe they can do so because they will escape scot-free without any punishments. Majority of hackers fall in the category of breaking norms and escaping without any disciplinary recourse(Bill Ballad, 2010). Hackers are extremely intelligent and utilize the weaknesses of human nature to infiltrate organizational information for their selfish interests. This why organizations need to invest in proper techniques as to avoid exposure that can be propelled by human nature.

Techniques that mitigate on threats arising from human nature

  1. Proper Policy Languages

Policy language can be defined as being the tool that is utilized in the expression of organization’s policies. In an ideal set up, there is supposed to be a specification that generates human-readable descriptions, as well as formal representations. The formal representations could be used in analyzing policies for gaps and inconsistencies. Human-readable descriptions should be used for documentation purposes and employee education. The biggest concern with regards to security and the human element, when it comes to policy languages, is their expressiveness and granularity. Both aspects need to be chosen at a level that meets organizational need.

When companies draft policy, it needs to take a keener concern on their observability and enforceability. The best policy that can cater for human errors and the threat they expose the company to is one that regulates some part of an organization’s workflow. In addition, the policy shouldgive proper descriptions on how to enforce and monitor significant aspects of the corporation. Formal policy languages offer a benefit where contradicting policies can be identified. Policy language should express policies in a way that raises awareness on behavioral aspects therefore being able to regulate and deal with abstract security threatening events. Doman-specific policy languages should express contingent policy rules so that users can consistently abide by them. Policy languages need to have a tool that assists users in maintaining a broader understanding of systems operations and the subtle effects that might occur in the system if different policies are allowed(Jeffrey Hunker, 2012).

Corporation need to invest in a Unifying Policy Hierarchy in an effort to prevent vulnerabilities that arise due to the human element is system management. Four different levels need to be established when implementing policy. The first is Oracle Policy, which deals with inherent vulnerabilities given perfect knowledge.  The second is Feasible Policy, which deals with configuration vulnerabilities when Oracle has been implemented effectively but with imperfect knowledge. The third is Configured Policy that deals with real time vulnerabilities and is implemented via configuration. The fourth is Real Time Policy that is an Add-in security vulnerabilities. An implementation of all the four levels solves all tensions that might be present in organizational workflow and culture by enforcing compliance with security practices(Jeffrey Hunker, 2012).


  1. Active Access Control

Access Control can be defined as a mechanism for preventing any insider attacks from taking place. The ideal access-control policy often grants the user sufficient privileges to perform the necessary tasks while constraining access according to set rules in the organization. The rules in place should be based on theprinciple of least privilege. This means that the fewer the privileges a user is grantedthen, the better of the company is in terms of information security. Such a system ensures the user can add back certain rights to the system. Essentially, constrained access provides a mechanism where actions can be split into separate duties and engaging multiple persons to partake in individual actions in order to complete a task.

Access Control is the mechanism of providing limited access to electronic resources basis on some set of credentials. The mechanism often has two components, which are Authentication and Authorization. Authentication demonstrates possession of credentials where shows who or what the system is interacting with. It can determine what you know (password), what you have (access card), what you are(biometrics), and even in some cases specific location. After authentication, authorization takes place where the system determines whether the credentials given are sufficient enough to provide the type of access that has been requested.

In a perfect world, a perfectly unbreakable access-control system would eliminate any insider attack that is generated from human elements. However, the world is anything but perfect therefore negating any prospect of such a system being effective. Access control maps users with sufficient access to system resources. The best approach in this regard would be Role-based Access Control (RBAC). This approach maps defined roles in the organization with access to specific resources. Temporal RBAC can extend the approach by specifying time constraints on when a role can be disabled or enabled. The access control also needs to specify monitoring and auditing requirements(Jeffrey Hunker, 2012). Having an Access control system ensures that users can always be tracked and monitored. Entry and interaction with the system can be monitored thereby ensuring that external attack due to thehuman element is avoided.


  • Consistent Monitoring Activities

Harmful insiders that operate within corporations to compromise on data can often be identified by an observation on the pattern of usage of information. Having a system that supports consistent monitoring activities can come in handy in detecting precursors to insider attacks. It can be carried out in three techniques. The first way is utilization of misuse detection. Human actions and interaction with the system can be observed on a consistent basis to recognize threats to the system. Through rule-based detection, where observed events are matched against models of threatening behavior, systematic fraud due to weaknesses in human elements can be curbed on early enough. It can form an extension of the intrusion detection systems. The modeling needs to be based on regular expressions and Petri nets.

The second mechanism that can be utilized in monitoring is investment on an Anomaly detection. This feature flags on significant deviations from the system that deviate from expected normal tendencies. They form the basis for anomalous misuse of the system in an effort to hack it and steal information. The Anomaly detection system that would be implemented would need to contain three parts. The first part would involve database information that is collected and utilized for the establishment of behavioral norms. The standard behavior can be acquired from training data, statistics, data mining, artificial neural network, and Markov processes. The second part would involve the construction of a monitoring infrastructure that captures events relevant to building dynamic behavioral profiles. The third part brings the two aspects together by triggering actions when behavior falls outside the expected boundaries thereby signaling a supervisor to look at the action in question.

The third approach would entail monitoring at the host level and network layer. Host sensors are much more difficult to deploy as compared to network sensors. Many specialists reckon that insider problems due to thehuman element never touch on the network level. One such system that can be put in place by corporations is ELICIT(Jeffrey Hunker, 2012). This system monitors the use of sensitive search terms, printings made to local printers, anomaly browsing activities, and retrieval of documents on the social network. At the network layer, honey tokens and honeypots could be used to trap ill-intended users who have information they are not intended to have or is inappropriate for them. These mechanisms would ensure that the corporation can weed out human elements in the corporation that are not focused on preserving critical corporate information.



  1. Investment on Human Security

The whole essence of having information prone to misuse revolves around human weakness to engage in sufficient behaviors that are intended to preserve corporate information. All hope is not lost as regards to the perceived weakness in human elements since the company can undertake to engage in activities that prevent entry of such negative elements into the corporation while upholding proper integrity within the corporation. Human security can be defined as the reasonable standards within the institution of an individual that facilitates security of entire company information. When an individual does not have these characteristics, then the company stands a higher chance of losing any information that is issued to this person. This can cost the company a lot especially when such information discourages business.

The perceived human weakness can be negated by undertaking on background checks before employing any individual to interact with sensitive information. This can involve asking the potential employee about his employment history and qualifications. If at all they had worked for some companies before, then why did they leave that company? Such questions can assist the corporation in determining the integrity of that individual and whether they are trustworthy enough to handle sensitive information. Any credit and criminal references should raise a red flag on the inability of that individuals to be trusted with sensitive information.

After employment, the company should embark on a proper training program where security awareness is made a priority for all employees(Enterprise Risk Management Inc., 2013). The new employee should be trained on potential threats that the company can face and how they are to handle such situations. The type of training should be offered to all employees on a consistent basis so as to ensure they are constantly aware of security threats that the company is prone to. All employees can be encouraged to utilize assistance programs whenever they feel that the system is not operating effectivelywith regard to security. The corporation should invest in a counterintelligence unit that deals with issues that arise from human elements as regards to system security. An employee feedback mechanism can also be utilized so as to get user specific information that is targeted towards enhancement of system security.


  1. Physical Document and Media Security

Human element comes into play when considering physical and media security. The corporation should consider certain aspects in the external and internal and internal environment when constructing policies and procedures that underlie success. Outside mail and packages need to be considered for Unabomber and anthrax situations. Safes, locked cabinets, and drawers should be used so as to prevent unauthorized access from human elements in the corporation who engage in corporate theft. When disposing of paper and digital media, they should be shredded and destroyed thereby preventing any unauthorized usage after perceived destruction. The company should invest in proper encryption tools that protect software and hardware against loss and theft instigated by human elements(Enterprise Risk Management Inc., 2013). In addition to the above, there should be incident response policies and procedure on stolen data and physical breaches. Such studies can enable the company to formulate proper mechanisms that prevent such breaches from taking place.

Consequences of a poor hiring decision

Corporations should invest in proper hiring techniques that ensure they can hire the best human elements in the field. This can facilitate their operations ensuring they achieve the best they can. However, this is not always the case where hiring can result in a human force that is not sufficient enough in company operations. The most obvious consequence of a poor hiring decision is the recruitment of unqualified staff that cannot function effectively in facilitating company operations. The other costs involved in hiring the wrong person are those incurred in the hiring process, which include advertising costs and the cost of reviewing. There are costs that are incurred due to time lost during the interviewing, training and relocation process(Shaugnessy, 2013). Such costs can spin to vast sums that would be detrimental to corporations if encouraged.

There are indirect consequences to the corporation when the wrong person is hired for a job. Such consequences include severance costs and expenses associated with employment tribunals. The other effect might be on the team morale and productivity where other employees will not be happy to work with somebody who is not qualified for the job at hand. In addition to this, there might be aloss of customers and market share due to the damage caused by company reputation and brand. Hiring the wrong person only means that they cannot deliver on their duties and will be unable to serve customers effectively. They in turn will discourage customers and sales. In an attempt to achieve the best, managers may review the performance of such employees and purpose to fire them so as to preserve the image of the company. The time they spent doing this and the resources utilized in hiring another person is factored in as a loss in this process. In fact, if the process is encouraged, a high employee turnover can discourage top tier candidates from applying for posts in the company thereby denying them qualified skilled resource(Bill Ballad, 2010).

Steps for preventing poor hiring decisions

  1. Any vacant roles in the organization should have well-structured job descriptions that are prepared by those already in the role.
  2. The development of an objective and constantly applied criteria for evaluation of candidates and making sure that the process is explained to all candidates.
  3. Select from the broadest candidate pool using the assistance of an experienced recruitment company.
  4. An objective evaluation process should contain behavioral and aptitude testing.
  5. Making sure that the prospective employee understands the performance expectations and undertakes to meet
  6. Engage all references on the CV thereby getting to understand how potential employees function at their duties. A proper reference policy should go beyond listed references and engage former colleagues(Shaugnessy, 2013).

Learning outcomes of policy that observes personnel in an ongoing manner

When a policy is executed to observe staff in a continuous manner, the corporation can get to learn a lot as regards to optimal performance and enhancement. An effectivepolicy that observes personnelon an ongoing manner enables managers to evaluate and measure individual performance. By doing this, then managers can optimize productivity and ensure that employees are focused towards attaining company goals and vision.

The policy will enable top management to learn how individual employees function and align their day-to-day activities with strategic business objectives. An appropriate system will facilitate knowledge on optimal timelines and enable managers to clarify on accountability that is related to performance expectations. Employee feedbacks can also enable the corporation to document on individual performance and support career planning decisions. In addition, such policy would show management where there is aneed for skill development so as to meet company objectives. The policy ensures that the corporation can monitor employee performances on a consistent basis thereby improving on any issues that might arise on systems in place. Most importantly is that disgruntled employees can be noted and monitored so as to identify any risks that they might pose to the system in place in the organization(Bill Ballad, 2010).

Best practices of human nature and organizational behavior

Best practices can be defined as the most appropriate practices that should be implemented under the prevailing circumstances that lead to desired optimum results. Organizational behavior forms an interface between human elements and organizational structures. Some practices are:

  1. The corporation should engage in consistent training of employees on security requirements of the system to meet organizational goals.
  2. Frequent job rotations and periodic vacations needed to enhance performance and avoid any vulnerability from employees.
  3. There should be a separation of duties among employees in order to contribute to an access control success for the corporation.
  4. Ethical standards should be set in the corporation to control human weaknesses and enhance performance.
  5. Proper termination policies wherestratified actions can be undertaken after termination. These are the locking of terminated employees network accounts and workstations. Data should be backed up thereby preventing employees from causing damage after termination(Bill Ballad, 2010).



Bill Ballad, T. B. (2010). Access Control, Authentication, and Public Key Infrastructure. Sudbury: Jones & Bartlett Publishers.

Enterprise Risk Management Inc. (2013). Social Engineering Hacking Human nature. Florida: Enterprise Risk Management Inc.

Jeffrey Hunker, C. W. (2012). Insiders and Insider Threats An Overview of Definitions and Mitigation Techniques. Denmark: Technical University of Denmark.

Shaugnessy, S. (2013). The Impact of Poor Hiring Decisions. Thought Leadership, 1-2.