Human Attack Surface Delta

Human Attack Surface Delta in the context of cybersecurity, refers to the change or difference over time in the total vulnerability and exposure associated with the human element of an organization. It is a metric used to measure the rate at which human-centric risks—such as employee credential leaks, social media oversharing, or successful social engineering attempts—are either increasing or decreasing.

Components of the Delta

The "Delta" is calculated by comparing two points in time (e.g., this month versus last month) and tracking changes in key human-centric risk indicators:

• Credential Leak Delta: The net change in the number of employee credentials (usernames, passwords, emails) found exposed on the dark web or in public data breaches. A positive delta means more credentials have been exposed.

• Social Footprint Delta: The change in the volume or sensitivity of Personally Identifiable Information (PII), professional roles, or technical project details shared publicly by employees on social media or professional networking sites.

• Training Effectiveness Delta: The change in the success rate of internal phishing simulations or the rate at which employees report suspicious activities. This is often an inverse metric, where a decreasing success rate (negative delta) indicates an improvement in human defense.

• Account Hygiene Delta: The change in the use of weak passwords, the adoption rate of Multi-Factor Authentication (MFA), or the use of corporate emails on high-risk third-party websites.

Significance

Tracking the Human Attack Surface Delta is crucial for security governance because it provides a precise, actionable measure of risk trend.

• Measuring Program Effectiveness: A consistently negative delta indicates that security training, identity management policies, and digital risk protection efforts are successfully reducing the organization's overall vulnerability to social engineering and human-error-based attacks.

• Prioritizing Resources: A sharp positive delta in a specific area (e.g., leaked credentials for a new business unit) directs security teams and budget to the precise location of escalating risk for immediate mitigation.

ThreatNG directly helps manage and reduce the Human Attack Surface Delta by providing continuous, external visibility into the specific exposures (like leaked credentials and exposed identity data) that result from human error or negligence. By quantifying and tracking these human-centric risks, ThreatNG allows organizations to measure the trend of their human attack surface and prioritize immediate remediation to enforce a negative delta (risk reduction).

ThreatNG's Role in Human Attack Surface Delta

External Discovery

ThreatNG performs purely external unauthenticated discovery using no connectors. This is the starting point for measuring the Human Attack Surface, as it maps the organization's footprint where human data is exposed.

• Example of ThreatNG Helping: The discovery process identifies every external point that could contain human-centric PII, including Subdomains intelligence (exposed emails and private IPs), and Archived Web Pages. This complete external inventory is the denominator for calculating the delta.

External Assessment

ThreatNG uses multiple security ratings that directly quantify the risk of a person-centric compromise, which comprise the Human Attack Surface.

• Data Leak Susceptibility Security Rating (A-F): This rating is heavily influenced by Compromised Credentials.

• Example in Detail: ThreatNG continuously tracks and assesses all Compromised Credentials associated with the organization's email domains (the leak). If in the last month (Month A) ThreatNG found 100 leaked credentials and this month (Month B) it finds 150, the 50 new exposures immediately flag an increase in the Human Attack Surface risk, likely due to poor employee password reuse (Identity Contamination).

• BEC & Phishing Susceptibility Security Rating (A-F): This rating is based on findings like Email Format Guessability and Domain Name Permutations.

• Example in Detail: ThreatNG confirms that an organization has high Email Format Guessability via its Email Intelligence module. If the security rating for this factor remains an "F," the zero delta (no change) indicates that the security team has not yet addressed the root cause, enabling attackers to harvest employee emails for spear-phishing (a human attack vector).

• Cyber Risk Exposure Security Rating (A-F): This rating assesses assets such as Sensitive Code Discovery and Exposure (code secret exposure) and WHOIS records (missing WHOIS privacy).

• Example in Detail: ThreatNG finds that an executive’s personal PII is exposed due to a missing WHOIS privacy policy. Suppose this exposure is addressed and the privacy is enabled. In that case, the resulting improvement in the Cyber Risk Exposure rating creates a measurable negative delta for the executive's personal attack surface, demonstrating risk reduction.

Reporting

The reporting capabilities enable clear visualization and communication of the Human Attack Surface Delta.

• Security Ratings Reports (A through F): The trendline of the Security Ratings over time directly represents the delta. A rising score (e.g., C to B) for a human-centric rating such as Data Leak Susceptibility indicates a negative delta (risk reduction). In contrast, a falling score signals a dangerous positive delta (risk increase).

• Prioritized Reports: These reports focus security team attention on the specific high-risk exposures (e.g., exposed RDP ports, or NHI Emails) that contribute most heavily to the overall delta, guiding remediation efforts to enforce a negative trend.

Continuous Monitoring

Continuous Monitoring of the external attack surface is the functional requirement for calculating the delta, as it provides the two required data points over time.

• Example of ThreatNG Helping: Continuous monitoring detects a surge in Compromised Credentials following a significant external data breach. By tracking this change in real time, the system immediately identifies a central positive delta in the Human Attack Surface and issues an urgent alert to mitigate the risk.

Investigation Modules

ThreatNG's modules provide the tools to granularly measure the inputs that constitute the Human Attack Surface Delta.

• Social Media / Username Exposure: This conducts a Passive Reconnaissance scan for usernames across a wide range of social media and high-risk forums.

• Example in Detail: An organization's new policy mandates that employees avoid using their full names in development forums. The Username Exposure module tracks compliance. A reduction in the number of publicly exposed employee names found on sites like GitHub from Month 1 to Month 2 shows a measurable negative delta in the social footprint component of the Human Attack Surface.

• LinkedIn Discovery: This module identifies employees explicitly most susceptible to social engineering attacks.

• Example in Detail: By tracking the list of susceptible employees, the organization can measure the effectiveness of its training. A month-over-month decrease in the number of employees whose social data makes them susceptible indicates a negative delta in the efficacy of human defense.

Intelligence Repositories (DarCache)

The intelligence repositories provide the raw data required for the most critical input to the Human Attack Surface Delta: credential exposure.

• Compromised Credentials (DarCache Rupture): This repository is the source of truth for measuring the Credential Leak Delta. The net change in the number of exposed passwords and usernames found in this cache between two reporting periods directly indicates whether the human attack surface is growing or shrinking.

Complementary Solutions

ThreatNG's continuous delta measurement can inform and optimize complementary solutions that manage the internal human attack surface.

• Cooperation with Security Awareness Training Platforms: When ThreatNG reports a positive delta in Compromised Credentials (meaning more passwords were leaked), this metric can be sent to a complementary Security Awareness Training Platform. This integration automatically triggers targeted, mandatory training modules for affected employees or departments, focusing specifically on credential hygiene and password reuse to reverse the delta trend.

• Cooperation with IAM Solutions: A continuous, escalating positive delta in the Data Leak Susceptibility rating can be sent to an Identity and Access Management (IAM) solution. This triggers a proactive policy change within the IAM, such as enforcing a global switch to more secure authentication methods (e.g., hardware tokens) or mandating more substantial password complexity for all employees, thereby preventing future leaks and further increasing the delta.