=Paper=
{{Paper
|id=Vol-3179/Short_3.pdf
|storemode=property
|title=The Elimination of Human Factor and its Effects in Corrupting Security
|pdfUrl=https://ceur-ws.org/Vol-3179/Short_3.pdf
|volume=Vol-3179
|authors=Volodymyr Nakonechnyi,Natalia Lukova-Chuiko,Anastasiia Petrenko,Anna Kyrylenko
|dblpUrl=https://dblp.org/rec/conf/iti2/NakonechnyiLPK21
}}
==The Elimination of Human Factor and its Effects in Corrupting Security==
https://ceur-ws.org/Vol-3179/Short_3.pdf
The Elimination of Human Factor and its Effects in Corrupting
Security
Natalia Lukova-Chuiko, Volodymyr Nakonechnyi, Anastasiia Petrenko and Anna Kyrylenko
Abstract
Security is one of the greatest concerns for organizations in the whole world regardless of its
scale. This is so because intruders never sleep and try to compromise organizations security
many times in a variety of ways. At first, the increase in hacker campaigns has led to new
solutions focused on technology tools, while research related to the human factor has been
limited. Eventually, the focus of building cybersecurity shifts to people since 95% of all
security incidents occur through human error rather than due to targeted attacks. No matter
how many technologies are dedicated to ensuring security, how much money companies spend
on security, the weakest point in any system is human – and it is impossible to make people
do/don’t perform specific actions because of their essence. The purpose of the article is to
outline the aspects of the human factor being the main reason for security breaches and to
suggest general ways of improving the safeguard level of enterprises by creating new
cybersecurity awareness programs to educate each employee and help information security
administrators have correct and clear configuration.
Keywords 1
Security, human factor, threats, misconfigurations, cybersecurity awareness
1. Introduction
Increased threats to information technology have led to new solutions focused on technology tools,
while research related to the human factor has been limited. Organizations often ignore the human
factor. Security research from Cisco Systems found that users who work remotely will still engage in
activities that threaten security. A study of employee behavior showed that upon receiving a suspicious
email, 37% will not only open the email but follow the link, while 13% will open the attached file. In
addition, after receiving a regular email, 42% clicked on a link and provided confidential information,
and 30% opened a file that would supposedly improve computer performance.
A survey was conducted by Cisco among security professionals and IT departments to identify their
top priorities over the next several months.
About 44% of respondents said their IT departments and security professionals spent less than 20%
of their time on day-to-day operational security. Another 32% said they devoted 20 to 40 percent of
their time to safety. Only 20% of participants dedicated a significant portion of their daily and weekly
administrative activities to securing their systems and networks (see Figure 1).
Among security software, there are firewalls, antiviruses, intrusion detection systems, data
governance systems etc., each of which performs specific functions and is aimed at solving specific
tasks. However, we can use the best software, which uses the most advanced technologies,
cryptographic algorithms, but at the same time, we cannot be 100% sure that our system is invulnerable.
Because people are involved in the implementation of all decisions and their application in practice,
and people tend to make mistakes. A person, being a part of the system, was and remains the most
vulnerable spot in the security system [1]. For paragraph, use Normal. Paragraph text. Paragraph text.
Paragraph text. Paragraph text. Paragraph text. Paragraph text. Paragraph text. Paragraph text.
Information Technology and Implementation (IT&I-2021), December 01–03, 2021, Kyiv, Ukraine
EMAIL: lukova@ukr.net (N. Lukova-Chuiko); nvc2006@i.ua (V. Nakonechnyi); petrenkoa@fit.knu.ua (A. Petrenko);
kyrylenkoa@fit.knu.ua (A. Kyrylenko);
ORCID: 0000-0003-3224-4061 (N. Lukova-Chuiko); 0000-0002-0247-5400 (V. Nakonechnyi); 0000-0002-4713-8125 (A. Petrenko);
0000-0002-5532-0023 (A. Kyrylenko)
©️ 2022 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
302
�Figure 1: Common types of cyberattacks in 2020
The human factor is the reason for the success of many attacks, and many examples prove this
hypothesis.
2. Current situation in the world
Last years the whole world has faced many challenges. The global lockdown hit most technology
industries, including information security. Robust data protection remains a daily business challenge.
A side effect of the pandemic was a huge increase in the number of hacker attacks on databases. Recent
research shows that most companies do not care about proper security and do not pay attention to the
issue of information security at all [2].
2.1. Loudest security incidents caused by human factor
The above-mentioned statistics leave no doubt that at the moment the human factor is one of the
main risk factors in terms of information security. “As the recent foreign incidents in the oil industry
show, the human factor can negate almost all efforts to protect the infrastructure,” says Sergey
Khalyapin, chief engineer of the Russian representative office of Citrix. “The more opportunities for
‘outsiders’ to communicate with employees of the company, the higher the risk of losing information
or breaching the security system” [3]. On January 12 due to an error in the configuration of the cloud
storage, social media management firm Socialarks made public the data of at least 214 million users,
including celebrities. During a routine scan of IP addresses, a team of researchers came across a 408-
gigabyte Elasticsearch database that was neither password-protected nor encrypted. The database
consisted of 318 million records that were illegally collected from user profiles on LinkedIn, Instagram
and Facebook [4]. On August 12, the Lithuanian Ministry of Foreign Affairs reported a "spoofing
attack". According to representatives of the Ministry of Foreign Affairs, during the attack, the hackers
sent letters from the department's e-mail address. Messages with a request to provide personal
confidential documents were received not only by private individuals but also by some state institutions
of the country [5]. Security has always been the greatest concern for each company regardless of its
scale and remains to be. The reason is simple: intruders never sleep and try to compromise
organizations security each time with various approaches. Ensuring security is a continuous process
and in general consists of several steps.
2.2. Classification of threats
The information infrastructure of an enterprise is constantly exposed to numerous threats, which by
their origin is divided into several types and are represented in the Figure 2:
Natural - threats caused by causes beyond human control. These include hurricanes, fires,
lightning strikes, floods, and other natural disasters
303
� Artificial - a complex of human-created information security threats. Man-made threats, in
turn, are divided into intentional and unintentional. Intentional threats include the actions of
competitors, hacker attacks, sabotage of offended employees, etc. Unintentional threats arise
as a result of actions committed due to lack of competence or through negligence
Internal - threats that arise within the information infrastructure of the enterprise
External - threats that originate outside the information infrastructure of the enterprise
Figure 2: Example figure
At this step, they use SAST (Static Application Security Testing) and DAST (Dynamic Application
Security Testing), implement SIEM systems, apply IDS/IPS (Intrusion Detection/Prevention System)
to their infrastructure and many other tools to secure their data at each level of data flow – from physical
to application. On media, we often hear that a company has announced a tender on applying the new
tool to increase the level of security. Eventually, the cost is the decisive factor and many other options
are considered less important. In that way, companies try to win by quantity, but they have forgotten
about the most vulnerable item in the system – human
2.3. Characteristics of human factor and errors
It doesn’t matter how many technologies are included in ensuring security, how much funds
companies spend on security, the weakest point in any system is human – and it is impossible to make
people do/don’t perform specific actions because of their essence.
The system cannot check that person who gives the credentials is the owner of them, it only checks
that they match the expected input. In that case, the intruder gets access to internal infrastructure without
detecting the monitoring system (it perceives him as an authorized user).
That’s why we are not able to fully eliminate security threats associated with human factors by
technologies. It can only be done by educating the employees and checking their level of awareness.
It’s a common fact that the effectiveness of studying the courses is not compatible with resources spent
on creating, maintaining, and reviewing these training. Human and organizational factors can be related
to technical information security. The factors affecting the security of a computer are divided into two
categories, namely the human factor and the organizational factor. Human factors are more important
than other factors. They are divided into the following groups: factors that relate to management,
namely workload and poor performance of staff; end-user factors. Next, we'll focus on four human
factors that have significant implications for influencing userbehavior [6]:
304
� 1. Lack of motivation. Many organizations believe that employees need to be motivated to
behave safely with information assets, and management must be able to determine what
motivates their personnel
2. Lack of awareness. The lack of awareness stems from a lack of general knowledge about
attacks. Common examples of lack of awareness include the following: Users do not know
how to identify spyware and spyware and how important it is to enter a strong password.
They cannot protect themselves from identity theft, nor how to control other users' access
to their computers
3. Belief. Common examples of risky persuasion are that users believe that installing antivirus
software solves their security concerns
4. Illiterate the use of technology. Even the best technology cannot succeed in solving
information security problems without continuous human cooperation and effective use of
this technology. Common examples of inappropriate use of technology include: creating
unauthorized reconfiguration of systems, accessing the passwords of others, obtaining
invalid information. Computer security risks can be classified in several ways: abuse of
privilege, errors and omissions, denial of service, social engineering, unauthorized access,
identity theft, phishing, malware, and unauthorized copies
2.4. Signs of the issue
Estimates from various analytical companies and information security experts indicate that about
half of incidents in the field of data protection are associated with the activities of insiders. Analytical
center Falcongaze has prepared a list of signs that the company should attend to the issue of protection
from information leaks. Let's give it:
1. Lack of corporate security policy
2. High staff turnover and frequent layoffs
3. Uncontrolled use of messengers, email, social networks by employees
4. The presence of employees who spend a lot of time on business trips and business trips
5. Uncontrolled document flow, as a result of which anyone can get access to confidential
information
There are other signs that not enough attention has been paid to protection against information leaks,
but according to Falcongaze, if at least one of these points is true for your company, it definitely falls
into the risk group.
2.5. Minimizing the risks
In 2017, cyber security experts noted the increased interest of cyber fraudsters and insiders in
industrial companies. The trend will only intensify, because the informatization of industrial facilities
is gaining momentum, and even strong security services will be forced to build up the capacity of
protective equipment in order to be ready to repel new types of threats.
How to minimize the influence of the human factor on the information security of an organization?
Specialists determine three aspects to the solution to this problem [7]:
1. Formation and regular updating of the list of information and powers that are minimally
necessary for the user to perform their duties
As a rule, in the process of working in an organization, a user begins to have more privileges than
is necessary to perform his duties. As a result of compromising the account of such a user, the attacker
gains significantly more opportunities for illegal actions than the "security" would like.
Recipe: The set of rights and privileges for each functional role in the organization should be at
the "Need-to-know" level and no more. This kit should be audited annually.
2. Teaching users the basics of information security
This is the most problematic aspect, it is tied to the corporate culture of the organization, the
maturity of information security processes, the selection of appropriate communication tools for each
user group. At the same time, it is not enough to convey to users the information security policy in a
form that is understandable to them, it is necessary to motivate them to implement it. Here I would like
to mention the example of Salesforce and the approach of its information security team to changing the
305
�user behaviour model through the introduction of competitive elements (the so-called gamification).
This program covered 14 thousand employees of the organization. Based on its results, a survey was
conducted, and more than half of the participants said that they were less likely to click on a suspicious
link, and more than 80% were more likely to report suspicious activity to the information security
service. Recipe: Implementation of a comprehensive training program for personnel, which includes:
Focus on common attacks that are easiest to stop at the user level
Submitting material through short, user-friendly online courses, keeping information on
attacks up-to-date
Mandatory fulfilment of the program requirements by all employees of the organization,
including top management
Monitoring the progress of training
Support of training by top management
3. Minimization of the “zoo” in information security systems, getting rid of disparate legacy
solutions and focusing on consolidated information security systems with centralized
management
The operation of many separate products responsible for performing various information security
tasks increases the likelihood of conflicts between various means, unintentional errors in the
configuration of products, and also significantly lengthens the period for their correction.
Recipe: The maximum possible consolidation of products from one manufacturer with a centralized
management and monitoring system. For example, a single product should be responsible for all
endpoint security functions and should be as easy to manage as possible.
3. Security misconfigurations
The pillar of network security is firewall systems but even though it doesn`t guarantee the proper
level of access control. This is not because of technical competency lack but rather the heart of the
matter is the human factor. Laziness is a well-known problem when dealing with the administration
field. Therefore, it leads to security misconfigurations, which in particular can result in data breaches
and so on. This is just one particular use case but it should be also discussed in detail.
If we dig in technical details of the network use case of security misconfiguration - not a properly
managed process of changing security rules and policies. Moreover, when an access rule on the firewall
is being changed there must be an analysis of risks associated with it. And none of this is usually have
done ever [8]. Security misconfiguration is on the 6th place in OWASP TOP 10 Vulnerabilities along
with broken access control and cross-site scripting. This vulnerability is caused by the human factor as
well.The attack vector aims to gain access to default accounts, unused pages, unprotected files and
directories, etc. in order to gain unauthorized access to the system. Such flaws often give attackers
unauthorized access to some system data or functions. Sometimes such flaws lead to a complete system
crash. This vulnerability can greatly affect the reputation of the organization, therefore it is better not
to have it and find a way of mitigation
Administrators are people too, and as ordinary workers, they need training and regular audits of the
settings for non-compliance with the particular company security standards. A good base for firewall
security is the NIST standard, DISA STIGs and CIS benchmarks. Firewall assurance ensures the state
of your network is always in line with security policy design and helps reduce risks on firewalls
themselves. A firewall is a typical network security solution and its incorrect settings can lead to an
information security incident. This can relate to both general configurations and inaccuracies in the
logic of the operation of its access policies. For example, weak passwords on the default user interface
can make life much easier for an attacker. Or, on the other hand, insufficiently prohibitive rules can
allow the passage of potentially malicious traffic, which in turn can lead to unauthorized access and
subsequent financial loss and/or data compromise.
If the procedure for making changes in configurations is not established, then any systems will
become unusable, because technical solutions also need supervision, especially focusing on the control
of human oversight. Therefore, the first remedy will be a well-established change process, and this can
help ITSM – in other words, IT Service Management. ITSM is an approach to the provision of IT
services in which performers, processes and technologies are used in an optimal combination. ITSM
306
�helps to improve business efficiency and the quality of provided IT services, as well as accounting and
control over changes made by administrators in their information systems. The problem here is that an
employee can make a mistake in the settings, or apply a potentially unsafe configuration, and if the
above method is implemented, there will always be at least one responsible person from the security
side who will check and agree on the admissibility of such changes and the risks associated with them
for business-critical systems and processes of the company [9].
In addition, not every setting is as safe as it is easy to use. But as an administrator to understand
what is permissible and what is not, how it should be so as not to lead to sad consequences. In this
situation, it will help to draw up a document on security provisions for various technical solutions under
the guidance of the company's security policy. Do not underestimate the strength of the documents,
since, in cases of written requirements for the security of systems, the administrator has not only concise
instructions and a framework for actions, but can also be brought to disciplinary action in cases of
failure to comply with. Also, any rules and regulations are followed only when they can be verified.
Therefore, it isnecessary to carry out regular checks of both the security of the settings and their
appropriateness. An audit of a company's information security is a complex analytical work to assess
the current state of its information systems and search for potential threats. To conduct the analysis,
specialists have a list of criteria and standards that your system must comply with. If it has deviations
or vulnerabilities, then you urgently need to take action. It is important to conduct an audit well in
advance when the problem is at a threat stage [10].
IS audit has a specific list of "step-by-step" tasks:
Analyze the current level of protection of personal data
Assess information security in accordance with generally accepted standards
Determine the likely risks for automated systems
Identify weaknesses with the possibility of their elimination in the future
Generate a report for information security specialists
Regardless of the scope of the enterprise, its type, tasks and goals, information security audit often
affects the following operational aspects:
Workers' rights to access servers and databases for collective use
Ways to confirm the login of each user (authentication)
Principles of data backup
Configuration and settings of network devices, storage systems and data transmission
Operation of antivirus and antispyware software, availability of a license
Theoretical and practical knowledge of the company's employees about data protection
As a result, a comprehensive audit of the organization's information security will help to reveal how
effective a system of protecting personal and corporate data is. If it has no weaknesses, the team will
receive confirmation of the security of the entire organization. But if the report reveals hidden risks,
then the team need to develop and implement an action plan to eliminate potential risks. In addition,
high-quality analytics will help the company choose the most effective data protection methods and
reduce its costs in this area. Workshops and other training programs on various technical solutions, with
an emphasis on ensuring the security of these systems, can also be a good tool. Since often a person
makes a mistake due to ignorance and misunderstanding of what their actions affect.
Although at first glance it seems that secure infrastructure design has nothing to do with the human
factor, this is fundamentally not the case. There is no such solution that would draw a logical diagram
for a person, taking into account all the nuances of a specific production and safety aspects. And if
something is done by a person, it is always error-prone and requires supervision from above
4. Cybersecurity awareness
Over time, the focus of building cybersecurity shifts to people, not technology, as 95% of all security
incidents occur through human error, not incidents [11]. Medium-sized companies and organizations
spend an average of about $ 300,000 a year on information security training alone (according to
Gartner), excluding various education activities [12]. However, even these efforts are not enough to
achieve the desired level of security, which would protect as much as possible from the disclosure/theft
of information and compliance with the selected level of standards. The reason is simple – people forget
307
�70% of received information within 24 hours without proper attention from the management side and
rechecking their understanding of materials [13].
Any mistake costs the company profit, resources (human, time, production - whatever) and, of
course, nerves. Quality, security, IT infrastructure, reputation - an incomplete list of vulnerable aspects
that can significantly suffer from a turned-off switch, a bug in the software, errors in Excel spreadsheets
(except for jokes, for example, during a tender or calculating the profitability of a tariff, product, etc.).
One human error - and processes, projects and whole months of work go down the drain. But it is human
nature to make mistakes, and sooner or later the person will make mistakes. This means that only one
thing remains - to learn how to minimize the influence of the human factor [14].
Such a problem can be applied for everyone – people are the triggers of actions, there are people at
the service desk, management is also a common people, people deliver the equipment and check the
physical security – everything is about people. So that’s why increasing cybersecurity awareness is a
crucial part of the organizations, especially international companies, which must comply with several
regular standards and requirements are quite high.
It has become very challenging – how to teach everyone to be secure in the environment in an
effective manner, track this progress and have a high ROI (Return on Investments). The new solution
is to focus on an individual automation approach for each employee, monitor their activity, actions, and
that’s why covering as much as possible from the perspective of humans as the vulnerable item.
It is proposed to use a new service that supports automatic individual evaluation of human
compliance, checking their actions when they become a target of any attack.
Data used and/or data schemes:
Results of the cyber assessment of the company
Personal data of employees for accounts
User activity in the network and the state of workstations
Report on compliance of user actions with the company's requirements.
As for supported services, it can be added assessment of the company's cybersecurity and
identification of places that need attention (optional); checking the condition of workstations for
compliance with the requirements set by the company; defining activities for a specific employee to
eliminate identified problems; providing courses, sending daily recommendations and creating
simulated attacks to raise awareness and check regularly; sending employee cyber awareness profiles
to managers for reporting. The process can be displayed in the figure below (Figure 3).
Although each of the phrases is already known to practice, in the bunch, they provide the client with
an even greater solution. Benefits are the following: the individual approach is the milestone: people
are different and it is not a promising idea to educate them in one way, but creating each learning path
manually is time-consuming (variables, conditions are mutable and there is no advantage in the long
term). It is exactly the place where automation can and should be applied.
Undoubtedly, requirements are the starting point for every process. As someone said, “It doesn’t
matter how many resources you have, if you do not know how to use them it will never be enough.”
Organizations should know their gaps and vulnerabilities to patch the right hole. What is the sense if
they close a winder while windows are still open? Determination of these requirements can be done in
2 ways: just select the desired level of security or pass the quick test (for personal use) or as a reply to
conducted assessment (audit) at the organization level.
Once the initial and desired levels of cybersecurity awareness are determined, it makes sense to
identify the person’s habits and find a better way for education. Having prepared the skeleton of the
learning path, it can be adapted to someone characteristics and be able to suggest things, that matters
and will ensure the expected result.
The education part consists of several methods:
Training/courses. Training is considered to be the most popular solution. The thing there is
training can only be valuable when employee clearly understands the content and know what
he would know after passing the course
Checks and tests. It is a well-known fact that people tend to forget about what they have
learned. The only way is regularly checking the studied material, which can be retrieved
from training and courses due to individual characteristics
Simulated attacks. The theory is not enough for a clear understanding and assimilation. Such
experience can only be received through practice. When people try to do something by
themselves, resolve the issue, repel the attack, they were the target, they will remember it
better. Using the automation approach, it can be ensured that people are receiving
308
�appropriate attack content regarding their activity as real hackers do. The assessment is
performed by simulating attacks and human-factor techniques used by attackers to
determine the effectiveness of an organization's security policies, safeguards, and training
programs. For example, a phishing attack is carried out by sending mass emails that look
like they were sent on behalf of popular brands, service providers, or people known to the
addressees. It tracks all email recipients who opened the email, clicked on links, opened
attachments, and entered their username and password on a fake website. Detailed statistics
will allow you to get both an overall picture of the company and determine corrective actions
on an individual basis
Daily recommendations and digest. Receiving small tips every day about how to increase
security, a digest of the latest news and announcements helps people to be on track with
current trends and situations in the world because everything is changing and following the
outdated guides is not a good approach.
Figure 3: Processes in cybersecurity awareness program
An effective cybersecurity awareness program requires a set of activities that should be
interconnected and pursue one goal. The second thing lies in people themselves - the person feels
encouraged to study when he knows that he is not just a common employee, but a valuable part of the
system, where the individual approach was applied. It helps them to feel unique and not just screw in
the system. First of all, properly structured training of personnel can help to reduce the likelihood of
unintentional violation of confidentiality and integrity of information, as well as the successful
implementation of attacks using social engineering methods.
5. Conclusions
There is an ongoing battle between hackers and security professionals. Unfortunately, the
unpredictability of human behavior can destroy the most secure information systems.
This article has attempted to collect and clearly identify the human factors that cause safety
problems and provide suggestions on how to overcome them by creating new cybersecurity awareness
program to educate each employee and help information security administrators have correct and clear
configuration. The consequence of this is that information security is the key to mitigating security
threats posed by human vulnerabilities.
Organizations must develop and maintain a culture that values positive safety behavior. They need
to instill their culture so that security begins and ends with every person associated with their
infrastructure, their business and their services. The best effect is achieved through a combination of
software solutions to prevent security incidents, because otherwise it is almost impossible to control a
complex distributed structure. To solve a complex of information security tasks, it is necessary:
309
� Control the storage locations and routes of information movement through all
communication channels that are used in the company (mail, Skype, instant messengers,
forums, cloud storages, etc.)
Discover data on the enterprise network at any given time. Analyze data of any format: text,
graphic, audio.
Record the actions of employees, their activity in the enterprise, for working PCs and
behavior in the team.
Track dangerous traits. As a rule, security specialists do this "manually", which is extremely
difficult in huge enterprises. But there are IT solutions on the market that make it possible
to automate this work. This is done by automated profiling, for example. It shows the values
and character of a person, a propensity for adventurism, for example, it demonstrates in
dynamics if significant changes occur in a person's personality
It is no coincidence that the authors speak only of a decrease in the likelihood of incidents. Referring
to the statistics of the penetration tests carried out, it is obvious that there are no companies where there
would be no overly careless and inquisitive employees. Therefore, it is only possible to gradually reduce
this vulnerability through a structured process of instructing an employee at all stages of his stay in the
company
6. References
[1] "The human factor and its role in ensuring information security ". Securelist | Kaspersky Lab analytics
and cyber threat reports. https://securelist.ru/chelovecheskij-faktor-i-ego-rol-v-obesp/725/
[2] ITCLOBAL. "Top 10 the loudest security incidents in the world". SecurityLab.ru.
https://www.securitylab.ru/blog/company/ITGLOBAL/350271
[3] C. Cimini, A. Lagorio, F. Pirola, and R. Pinto, "How human factors affect operators' task evolution in
Logistics 4.0," Human Factors and Ergonomics in Manufacturing & Service Industries, vol. 31, no. 1,
pp. 98–117, Sep. 2020. Accessed: Nov. 9, 2021. [Online]. Available:
https://doi.org/10.1002/hfm.20872
[4] A. Hope. "Chinese Startup Leaks 318 Million Private Records Obtained Through Data Scraping
Facebook, Instagram, and LinkedIn Social Profiles - CPO Magazine". CPO Magazine.
https://www.cpomagazine.com/cyber-security/chinese-startup-leaks-318-million-private-records-
obtained-through-data-scraping-facebook-instagram-and-linkedin-social-profiles
[5] LRT.lt. "Hackers steal 'classified' documents, Lithuanian official say riots may be connected". lrt.lt.
https://www.lrt.lt/en/news-in-english/19/1467832/hackers-steal-classified-documents-lithuanian-
official-say-riots-may-be-connected
[6] V. Rulkov. "The human factor in information security". HABR. https://habr.com/ru/post/344542/
[7] P. Korostelev. "The influence of the human factor on the successful implementation of an information
security strategy". itWeek. https://www.itweek.ru/security/article/detail.php?ID=183931
[8] I. Boytsov. "AlgoSec Firewall Analyzer Overview". Anti-Malware.ru. https://www.anti-
malware.ru/reviews/AlgoSec_Firewall_Analyzer
[9] "ITSM (IT Service management): implementation of an IT service management system". IT Gildiya.
https://it-guild.com/services/implementation/itsm/
[10] Audit of information security at the enterprise." IT Logica.
https://itlogica.com.ua/services/informacionnaja-bezopasnost/
[11] "95% of all crashes are human errors not accidents - Northern Ireland - News and Blogs – articles on
road safety and youth - Yours." YOURS Home - the youth movement for road safety. - Yours.
http://www.youthforroadsafety.org/news-blog/news-blog-
item/t/95_of_all_crashes_are_human_errors_not_accidents_northern_ireland
[12] "Large Enterprises Spend Nearly $300K Per Year On Security Awareness Training." Really?"
KnowBe4 Security Awareness Training Blog. https://blog.knowbe4.com/large-enterprises-spend-
nearly-300k-per-year-on-security-education.-really
[13] 5 Ways to Challenge the Forgetting Curve." LearnUpon.
https://www.learnupon.com/blog/ebbinghaus-forgetting-curve/
[14] Axelus. "The human factor in the company: is it dangerous?" Habr.
https://habr.com/ru/company/regionsoft/blog/432920/
310
�