The project

OVERVIEW

The final outcome of this project will be DAMOCLES, an easy-to-use and fully-customizable framework that supports Italian PAs, even in the absence of experienced IT and security personnel or dedicated systems, to perform Human Vulnerability Assessment (HVA) in cyber contexts and Human Vulnerability Mitigation (HVM) of the emerged vulnerabilities (Figure 1). This framework will be implemented in a web platform based on three main components: the HVA for the identification of human vulnerabilities that can cause security incidents, the HVM for the resolution of the identified vulnerabilities, and the Customization to tailor the entire framework to the PA needs.

The HVA component is based on three modules, namely, Prevention, Simulation and Detection of human incidents. The former consists of a set of questionnaires that systematize different measures on human incidents. The second one consists of a digital twin of each user to perform simulations of cybersecurity attacks on the large scale its physical counterpart might be subjected to. The latter is a sandbox environment where safe tests of cyber attacks are targeted to the PA users according to the incidents they can mainly cause, in order to analyze their response and identify wrong behaviors.

The HVM component offers different modules to educate the users according to the vulnerabilities they are exposed to and codified in a proper user profile. DAMOCLES will provide training programs like podcasts, tutorials, gamified training that simulates attacks from which the users have to defend, and messages integrated into working software.

The Customization component will consist of a tailoring environment that supports the users, e.g., the IT manager of the PA, in customizing DAMOCLES according to the specific PA, for example, according to the existing roles, number of employees, adopted software and services. A no-code approach will guarantee a simple use of this environment without requiring particular IT and cybersecurity skills. The users of the HVA will be able to customize the entire protocol by tailoring the questionnaires, the metrics and the educational programs to the specific characteristics and needs of the organization. In the case of the HVM, instead, it will be possible to specify its behavior and the educational programs to be delivered to the users when dangerous actions are detected.

APPLICATION SCENARIO

Scenario 1: Andrea is the IT manager of the Brindisi job center, a regional employment policy agency. Andrea is responsible for both the technical issues of the center (e.g., PC maintenance) and the security aspects. Andrea decides to adopt DAMOCLES to detect possible security incidents caused by the employees, and to undertake appropriate mitigation strategies tailored to the users. Andrea registers to the DAMOCLES web platform and provides information on the job center, such as the number of employees, roles, and type of software used. After that, DAMOCLES suggests Andrea a set of questionnaires to measure possible employee exposure to security threats. Specifically, a questionnaire covering email management and phishing attacks is suggested for all employees, a second questionnaire revolving around access policy management is suggested only for the IT technicians, and finally, a third questionnaire on personal data management is suggested for the managers. Andrea accepts all the suggestions and administers the questionnaires through DAMOCLES by entering employees' emails. Two days later, after collecting the employees’ answers, Andrea opens the DAMOCLES platform and inspects the results already analyzed by the platform. As a result, DAMOCLES suggests personalized training programs for each employee. Andrea revises and approves all the suggestions and launches the training programs. Specifically, managers are asked to view tutorials on personal data processing and answer follow-up questions; IT technicians are offered a training program in the form of a game about managing access policies on PCs; and all employees are offered training in the form of a game related to phishing attacks.

Scenario 2: After performing the HVA and HVM reported in Scenario 1, Andrea decides to further improve the assessment and mitigation of human incidents inside the job center. In particular, starting from the questionnaire results, DAMOCLES suggests Andrea to perform different kinds of safe tests. Managers and IT technicians can be asked to carry out a set of tasks in a safe copy of the software used in the employment center, respectively on personal data processing and policies management. All the employees, instead, can receive five (safe) phishing emails, one per week. Andrea decides to execute all these tests. After five weeks, considering the results of the last assessment, DAMOCLES suggests Andrea to refine and extend the training programs for eachemployee. All the suggested training programs are accepted by Andrea. In addition, DAMOCLES proposes to Andrea to automatically build a Digital Twin for each employee starting from the results of the HVAs carried out until now, and to simulate on them a set of cyber attacks. After Andrea’s agreement, DAMOCLES perform the simulations on the DTs and refines the training programs that Andrea can deliver to each employee.