Avatar

As the day draws to a close, and especially during the early morning, users become far more likely to click on links that lead to malware. Those responsible for network security need to ensure that users’ awareness of information security continues after work hours, so that users “don’t click tired.”

With users clicking on links left, right, and centre, it’s no wonder that users are managing to infect corporate networks with malware. However, a user’s behaviour, with regard to attempting to download malware over the web, changes according to the time of day. Looking at the number of blocks for detected malware for UK based IP addresses, from Cisco’s Cloud Web Security protection, by time of day for the working week beginning on 11 November shows that the largest number of malware blocks occurs between 7pm – 8pm.

Relative malware exposure
Graph of relative number of malware blocks by time of day for UK networks.

Indeed, it appears that encounters with malware by UK based users increases throughout the working day with notable dips at lunch time (12pm – 1pm), and home time (5pm – 6pm). These figures show when networks are most likely to encounter malware; however, they do not necessarily illustrate when users are most likely to engage in ‘risky’ behaviour.

We can measure when users are most likely to forget their common sense and training by calculating the number of malware blocks per URL requested per hour of the day. Graphing this data for UK based IP addresses for the same date range shows an interesting story.

Relative malware per URL request
Graph of relative number of malware blocks per URL requested by time of day for UK networks.

Users appear to be remarkably sensible during working hours (8am – 6pm) with the rate of malware blocks per URL requested falling to a minimum. Towards the end of the working day, the rate of malware encounters tends to pick up, then increases massively during the evening. As users return home tired following a long day, their behaviour changes, and they are much more likely to click on links that lead to malware. However, the riskiest behaviour takes place in the early morning between 4am – 5am when users are 15.7 times more likely to encounter malware per URL visited compared with 12pm-1pm. It’s unclear if these users are late owls or early risers, but in either case these tired users are at their most vulnerable.

Understanding these patterns of behaviour is key to addressing the propensity for users to engage in risky behaviour. Risky behaviour tends to drop during the working day, suggesting that users are less likely to click on malicious links when they are most alert, and when they are engaged in activities that do not expose them to malicious links. Outside of working hours, tired users change their behaviour, forget their training, and are most likely to click on malicious links.

Security managers need to ensure that users remain aware of security policies, their security training, and the danger of security threats outside of core working hours, no matter how tired they may be.

Andrew Tsonchev contributed to this blog.



Authors

Martin Lee

EMEA Lead, Strategic Planning & Communications

Cisco Talos