Leveraging artificial intelligence to manage human risk

Artificial intelligence not only creates resources, but also analyzes many forms of data.

By Lance Spitzner February 13, 2024
Courtesy: SANS Institute

Artificial intelligence insights

  • Artificial intelligence’s (AI)  capability extends beyond creating resources to analyzing various data forms, including documents, charts and spreadsheets, offering insights and improvements.
  • Caution is advised regarding privacy and security when uploading sensitive or confidential documents to AI platforms, with recommendations to use private or enterprise versions for sensitive data.
  • AI can assist in analyzing screenshots, word documents, spreadsheets and photos, providing detailed explanations, recommendations for improvement and summaries.

Analyzing data

Up to now, there has been a focus on Generative AI’s ability to create resources, such as videos scripts, newsletter content, translations, generating customized images and developing learning objectives for training. However, a feature just as powerful if not more powerful is its ability to analyze just about anything it is given. Spreadsheets, word documents, graphs, photos and diagrams can be uploaded directly and it can not only comprehend but then analyze the material, giving the ability to then improve the content, summarize it or dive deeper into its meaning.

The first step is realizing that pretty much anything can be uploaded to AI, and it will analyze it like a subject matter expert. Upload a financial document and AI can help the user understand it like a Chief Financial Officer. Upload a flow diagram of a proposed application and it can analyze it like a senior software developer. Upload a chart of a home’s energy usage and it can analyze it like it’s  the Department of Energy.

There is some caution to take when it comes to privacy and security. Most AI solutions are public. This means anything uploaded to the AI solution will not only be analyzed, but it will also remember and train itself on that file. This means that information can potentially be shared with others in the future. In some cases, the actual files uploaded can be retrieved by others in their original format. This means a user should never upload or share anything highly sensitive or confidential. If a user wants to use AI to analyze sensitive data, instead of using publicly available AI, use a private or enterprise version. This will protect and isolate any information you upload, ensuring that it is never used to train the AI and is not accessible or shared with others. Another option is to anonymize anything you upload.

What can be uploaded and analyzed?

This answer is any file. A user can try virtually any file in any format. If it does not work now, try again next month, as AI is advancing rapidly. Here are several examples.

Screenshots

This is one of the most surprising capabilities of AI. A user can upload a screenshot of almost anything visual (diagrams, charts, dashboards). For example, A user can upload a screenshot of a slide from the SANS LDR433 Human Risk course, then simply give ChatGPT the prompt “explain what this slide means” with no other context.

The purpose of the slide is to visually compare just how much the security community have invested in securing technology vs. securing employees. This is done by visualizing all the different security controls implemented over the past twenty years for the Windows Operating System versus what the typical security team has done to help secure their workforce (i.e., very little) which is called the human operating system. Ever wonder why people are the primary attack vector? Because people have hit the point of diminishing returns by overinvesting in technology and underinvesting in securing people.

When a file is uploaded, not only did the AI quickly pick up on the diagram’s intent and explain its meaning, but it also read, identified and explained in more depth each of the technical controls listed in the order provided. If a user wanted, they could go in deeper and have AI explain in more detail each of the technical controls. Have a phone or electric bill you don’t understand? Take a screenshot of the confusing part, upload it and have AI walk through the bill.

Courtesy: SANS Institute

Courtesy: SANS Institute

Word documents

AI can read and analyze just about any text-based document given to it (MS Word Document, PDF, etc.). Two biggest benefits for this to be the ability for AI to review a document and provide feedback on how to improve it or summarize it. Examples of improving a document include:

  • Simplifying security policies so they are easier to understand and follow

  • Shortening business cases for more effective leadership engagement

  • Improving quiz questions based on a video script

  • Modifying an email to a workforce so it focuses more on how they benefit from the new security tool being rolled out

  • Suggesting titles for a new blog post

Not only can AI provide recommendations on how to improve the wording, it can also increase (or decrease) the grade level at which the document was written, translate the content into another language or rewrite the wording in a new voice, e.g., “rewrite the document but act like Shakespeare.”

Another powerful feature is AI’s ability to summarize. Perhaps there is a fascinating report on a security breach, or a new analysis of the latest in cyber threat actor tactics and techniques, but the user doesn’t have time to read the entire document. Or perhaps the document is too technical, and the user just want to understand the key points. Provide AI the document (or the link to the document) and it will summarize it. It will also summarize a video. If there is a long video on YouTube to learn from, but the video is too long, download the transcript from the video, paste the transcript into AI and have it summarize it.

Spreadsheets

Hate analyzing numbers? Having a hard time figuring out what that spreadsheet means or why the numbers don’t add up? With AI, it can do all the work. In most cases a user can upload the spreadsheet with little to no context, as long as the columns and/or rows are named or described. AI will analyze the spreadsheet and then explain its purpose and what each row or column represents. Then the user can begin to ask it questions based on the data, such as the average costs per month or the percentage of increase/decrease over time. It can also help with finding anomalies, such as which phishing simulation had the greatest click rates, or which department had the highest phishing simulation report rates.

Photos

This one is pretty simple, just upload a picture (any picture) and AI will explain what is happening in the picture. This may sound silly at first, but it can be quite useful. Let’s say a user needs to replace a part in a car or bike, but doesn’t know what the part is called. Upload a picture of it and AI can analyze the image and the part. In addition, AI can explain how to replace the part and the tools needed. Or perhaps there is an amazing cake the user would like to make, but they only have a picture of it. Upload the picture of the cake and AI can generate the recipe to make it. Or perhaps a user has a picture of a car you like or a plant they would like to grow, but you don’t know the name of it. In addition, AI can decode and translate any text in the image, such as a poster written in a foreign language in the background of the picture. Features like these can also be useful for Open-Source Intelligence (OSINT) analysis of images.

Original content can be found at SANS Institute.


Author Bio: Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture and awareness training and is a SANS senior instructor.