Human Security
Highest-ROI attack in the book (Arup: $25M; average BEC: $125k). Policy: all wire changes require phone-confirm to the known number on file + dual approvers for payments over the threshold. This panel tracks real-time adherence.
| When | From | Vendor | Amount | Bank-detail changed? | Out-of-band | 2nd approver | State |
|---|
- ON Any wire > $10,000 requires two approvers from different reporting lines
- ON Any change to vendor banking details requires phone callback to number on file (not email reply)
- ON Vendor-master-file change alerts to CFO + finance-lead within 15 minutes
- ON New-vendor onboarding requires signed W9/W8 + verified phone + 48h cooling-off
- REVIEW Deepfake-call code-word required before acting on CEO/CFO voice-video requests (wires to T314)
- ON First-contact sender banner on email: flag domain <30 days old + look-alikes
The CFO's voice on a Zoom call asking for a $25M wire. Real attack pattern. Code-word policy eliminates the trust surface — if the caller can't say the code-word, it's not them.
| Principal | Role | Code-word set | Last rotation | Callback number on file | Status |
|---|
| When | Type | Target | Outcome | Notes |
|---|
- ON Any voice or video request to act (wire / access / credential) requires code-word challenge
- ON Code-word never shared over the same channel as the request (asymmetric channel policy)
- ON Code-word rotation every 90 days; auto-reminder from aegis
- ON All voice-clone / deepfake attempts reported to SOC for media forensics + SOAR
- BETA Real-time liveness challenge during high-value calls (turn head, read phrase)
Culture beats controls. Every metric below is a cohort measurement of people as sensors — reward the reporters, tune the lures, starve the attacker's inbox.
Monthly cadence across the whole org. Realistic lures: AiTM / MFA-fatigue / QR / callback phish. Per-cohort analysis · no blame-shaming.
| Campaign | Lure kind | Sent | Clicked | Reported | Cohort note |
|---|---|---|---|---|---|
| 2026-04 · AiTM login | Evilginx-style lookalike | 4,218 | 62 (1.5%) | 1,484 (35%) | cs-team highest report-rate |
| 2026-04 · QR · package-delivery | quishing | 4,218 | 102 (2.4%) | 1,218 (29%) | sales dip · targeted retrain |
| 2026-04 · callback phish | fake-support voicemail | 412 (finance) | 8 (1.9%) | 186 (45%) | finance strong · keep pattern |
| 2026-03 · MFA-fatigue | push-bomb + helpdesk | 4,218 | 41 (0.97%) | 1,602 (38%) | trend down 12 wks |
Outlook + Gmail add-in + Slack button. Ingested by SOAR triage (T225). Reporter gets a thank-you with outcome + cumulative "saves" badge.
| Platform | Deploy | Reports (30d) | Confirmed malicious | User satisfaction |
|---|---|---|---|---|
| Outlook add-in | all users | 186 | 42 | 4.8 / 5 |
| Gmail add-in | all users | 62 | 14 | 4.9 / 5 |
| Slack · Report-Message action | all users | 36 | 6 | 4.7 / 5 |
| iOS / Android app | all users | 12 | 2 | 4.6 / 5 |
Click-rate alone punishes curiosity. Report-rate rewards vigilance. We measure both — culture metric for the board. Target: click < 3% · report > 30%.
| Cohort | Headcount | Click rate | Report rate | Trend 12w |
|---|---|---|---|---|
| Engineering | 142 | 1.4% | 42% | ↓ click · ↑ report |
| Product | 38 | 1.8% | 38% | ↓ click |
| Sales | 86 | 3.8% | 24% | targeted retrain |
| Finance | 24 | 1.2% | 45% | exemplary |
| HR | 18 | 2.1% | 33% | on target |
| Contractors | 54 | 4.2% | 18% | onboarding retrain |
| Org total | 4,218 | 2.4% | 34% | BOARD METRIC ON |
Fail on misalign. Quarantine on partial. DMARC aggregate-report ingestion panel surfaces spoofing attempts against our own domains.
| Check | Action on fail | Applied (7d) |
|---|---|---|
| SPF hard-fail | reject | 42,184 |
| DKIM misalign | quarantine | 8,412 |
| DMARC p=reject (inbound receiver honors) | reject | — |
| DMARC aggregate reports ingested | SIEM | 1,412 reports |
| ARC-seal re-verify (forwarded mail) | tighten | — |
| Lookalike-domain header match | banner · quarantine if score ≥ 60 | 312 banners |
First time a sender-domain reaches a user → visible banner + "verify if asked to act". Reduces CFO-impersonation and sudden wire requests.
| Banner kind | Trigger | Shown (7d) |
|---|---|---|
| EXTERNAL sender | any domain ≠ [your-org].com + approved-partners | 6,842 |
| FIRST-CONTACT | sender not seen by this user in 365d | 1,412 |
| LOOKALIKE domain | Levenshtein-near own domain | 58 |
| ACTS-LIKE-EXEC | display-name matches known exec + sender ≠ corp | 24 · 100% blocked |
| NEWLY-REGISTERED domain | domain age < 30d | 42 |
| FREEMAIL-FROM-EXEC-PATTERN | gmail/yahoo/outlook.com + impersonation heuristic | 14 |
Callback to known-good number on file. Video-verify for password / MFA reset. No SMS-only identity proof. Recorded and sampled for QA.
| Step | Policy | Exception |
|---|---|---|
| 1 | Agent reads 3-question script · blind to caller | none |
| 2 | Callback to number on HRIS record | mgr-approved + case-note |
| 3 | Video-verify for password / MFA reset | tier-0 · ciso-escalated only |
| 4 | No SMS-only identity proof | never |
| 5 | Calls recorded · 5% sampled + reviewed | none |
| 6 | Attempted-vishing logged · shared with SOC | — |
Recent: 3 vishing attempts in 30d — all blocked by step-2 callback · shared to ISAC.
Extract QR from images + PDFs + Office docs. Resolve destination URL. Apply URL reputation + lookalike check. Strip and replace with warning placeholder if malicious.
| Check | Scope | Hits (7d) | Action |
|---|---|---|---|
| Image QR extraction | inline + attachment | 1,284 scanned | — |
| PDF-embedded QR | attachment | 412 scanned | — |
| Office-doc QR | attachment | 48 scanned | — |
| QR destination = newly-registered domain | all | 22 | strip + warn |
| QR destination = AiTM-kit fingerprint | all | 6 | strip + quarantine |
| QR destination = crypto-drainer | all | 2 | strip + quarantine + SOC alert |
One champion per team. Quarterly brief. Early-signal feedback loop (new phishing patterns, policy confusion). Recognition + points + internal reward.
| Team | Champion | Tenure | Saves (quarter) | Points |
|---|---|---|---|---|
| Engineering | [user.name]@[your-org].com | 14 mo | 22 saves · 3 new-lure reports | 842 |
| Product | ria.paul@[your-org].com | 8 mo | 11 | 412 |
| Finance | dan.cfo-analyst@[your-org].com | 22 mo | 28 · BEC drill host | 1,212 |
| Sales | karan.sales@[your-org].com | 4 mo | 8 | 214 |
| CS | aisha.khan@[your-org].com | 18 mo | 18 | 684 |
| HR | neha.hr@[your-org].com | 6 mo | 9 | 286 |
"5 yrs Splunk, Fortinet 7.4, Jenkins 2.401" is a shopping list for attackers. This screen lints open job descriptions, flags specific product/version names, and suggests generic rewrites. Runs on every new req + on every edit.
| Req | Role | Finding | Detail | Action |
|---|---|---|---|---|
| REQ-2241 | Senior SRE | HIGH | "5+ yrs Splunk Enterprise 9.1, Fortinet FortiGate 7.4, Jenkins 2.401, Kubernetes 1.28" | Rewrite to "SIEM · firewall · CI · orchestration" |
| REQ-2218 | Security Engineer | HIGH | "Experience with Wazuh 4.7, Grafana Cloud, Okta Workforce Identity" | Generalize to "EDR/XDR, observability, IDaaS" |
| REQ-2225 | Backend Dev | MED | "Python 3.11, FastAPI 0.110, Redis 7.2" | Keep language, drop minor versions |
| REQ-2230 | DevOps | MED | "GitHub Actions workflows + self-hosted runners on AWS EC2" | Generalize to "CI pipelines + runners" |
| REQ-2232 | Data Eng | LOW | "Snowflake, dbt" | Acceptable — vendor-level only |
| REQ-2235 | Product Manager | CLEAN | No stack-specific terms | — |
- BLOCK Specific version numbers of security tooling (SIEM, firewall, EDR, VPN, SSO)
- BLOCK Internal tool names, service names, or repo names
- WARN Minor-version pins on production technology ("Postgres 14.8")
- WARN Cloud-region references that narrow geography ("us-east-1, Mumbai az-2")
- ALLOW Broad vendor names at product-family level ("AWS", "GCP", "Kafka")
- ALLOW Language/framework at major-version ("Python 3", "React", "Go")