Leveraging AI to Manage Human Risk – (Part 1)

Note: This blog post is the first in a series on what Artificial Intelligence (AI) is, the different types and how they work, the legal / security issues potentially involved, and most importantly how to make the most of it as part of you Security Awareness / Human Risk efforts. This series will provide a broad overview of AI but then later in the series focus primarily on what is known as Generative AI. The goal of these posts is to not only amplify and improve the maturity of your program, but also provide you the skills to grow your reputation and career. You can access the other blog posts from this series below.

• Part 1: Overview of AI
• Part 2: Generative AI & Prompt Engineering
• Part 3: Issues, Challenges, and Limitations of AI
• Part 4: Advanced Prompt Engineering
• Part 5: Generating Images
• Part 6: Analyzing Data

What is AI?

AI are systems programmed to think and respond like humans. In fact, I asked the AI system ChatGPT that very question. This was its response:

“Artificial intelligence (AI) refers to the simulation of human intelligence in machines that are programmed to think and learn like humans. It involves the development of algorithms and computer programs that can perform tasks that typically require human intelligence, such as recognizing speech, understanding natural language, making decisions, and playing games. There are several types of AI, including rule-based, expert systems, and machine learning.”

What makes AI so powerful is that it can have the intelligence and reasoning capability of the human mind but can analyze exponentially more information and do it in a matter of seconds. The concept of AI is not new. Originally covered in science fiction novels, AI has been in development for decades. We are hearing so much about it now because for the first time, we have the chance to interact with and see the true functionality of AI.

ChatGPT, an online-powered AI chat bot, is one of the first publicly available chat bots that has the ability to think and respond like a real human, passing what’s called the Turing Test. Originally developed by Alan Turing in 1950, the Turing Test determines a machine’s ability to exhibit intelligent behavior by having a real human interact and have a conversation with the machine via a test-based chat channel. If the human cannot tell whether they are interacting with a machine or a person (in other words, they cannot tell the difference), the machine passes the test.

ChatGPT and other AI solutions today are some of the first publicly available solutions that do just that. However, online conversations are just the beginning of what AI can do. There are now AI solutions that can create in real-time a video of a real person teaching anything you want in any language you want, analyze millions of health records and quickly determine who most likely has cancer, create news articles or essays on the topic of your choice, generate images for children’s books or analyze and understand images you submit, and generate code for new computer programs.

AI is not to be feared, it is simply a very new and powerful tool that we can take tremendous advantage of. One of the biggest challenges we face in cybersecurity, especially when trying to address human risk, is the teams responsible are often grossly understaffed lacking the people and resources to effectively get the job done. AI has the ability to exponentially increase your capacity and amplify your impact at a fraction of the time and cost of traditional methods. As such I’ll be going into the numerous ways and examples of how you can safely and securely leverage AI.

What are the different types of AI and which should I use?

AI describes a very large and diverse field of research. There are many terms used to define AI and related sub-fields, so it can get very confusing very fast. Below, I simplify key elements of AI and how they relate to each other. Remember, I’m focusing on the use of AI from a managing human risk perspective, so what I cover here is only a small part of a very broad science.

• Artificial Intelligence: Think of Artifical Intelligence as an umbrella term encompassing an entire field of scientific study attempting to replicate how humans learn, think, discover, and reason.
• Machine Learning (ML): Machine Learning is a sub-field of Artificial Intelligence. While not the only sub-field, it is currently one of the most successful. ML is a set of algorithms that looks at large data sets, learns from patterns within that data, and makes predictions or decisions without being explicitly programmed for the task. The more data it analyzes, the better its decisions can become. Think of it this way; instead of telling the computer the rules, ML identifies patterns and creates the rules on its own similar to how humans learn from experience. The concept of ML is not new, it was first developed in the 1950s. What is new is that the algorithms are getting better, the data sets they analyze are getting much larger (think Internet), and the processing power used to analyze the data (think Cloud and faster processors) has become exponentially faster.
• Deep Learning: Deep Learning is a subset of machine learning. The key idea behind deep learning is the use of neural networks with many layers (hence "deep") to analyze various forms of data. Deep learning has been instrumental in achieving state-of-the-art results in many AI tasks, such as image recognition, speech recognition, and natural language processing.
• Generative AI: Generative AI (also known as GenAI) uses its knowledge of what it has learned through ML and Deep Learning to create new content (text, images, music) similar to how humans do. Generative AI is what we will focus on in this blog series as it is generative AI that can make you so much more productive. Generative AI saves you time by creating for example customized images for your infographic, a detailed project plan for your ambassador program, an engagement plan for rolling out MFA, a business plan for increasing the size of your team, or computer-based training with real human actors and in any language you want. However, this is also the same technology that cyber threat actors use to create deepfakes and highly customized email and phone call social engineering attacks.
• Large Language Models (LLM): LLM is a type of generative AI designed and trained to understand and generate human languages. LLM’s can create written content, answer questions, translate materials and more. To put it all together, ChatGPT is a type of LLM, which is a type of generative AI, which is based on deep learning, which is a type of machine learning.

As you begin to better understand AI you can also understand both the advantages and disadvantages of AI. The advantage is its ability to quickly analyze huge amounts of data (as in billions of data points), identify patterns and leverage those patterns. The disadvantage of AI is the answers or output is only as good as the data it has analyzed and it is only as good as the algorithms used to analyze that data, to include any human biases that have been introduced into those algorithms.

Interested in reducing your organization’s human risk? Check out my course LDR433: Managing Human Risk and sign up for a FREE course preview here.

In part two of this series, we go into details of what generative AI is and how to leverage it using a method called prompt engineering. If you have a specific question about leveraging AI that you would like me to cover, please reach out at lspitzner@sans.org.