A penetration tester, who did not have an access badge, managed to follow a group of employees through multiple badged-access doors and into the data center without being stopped. The tester mentions this finding during the after-action review with the Chief Information Security Officer (CISO). Which of the following issues should the CISO address as a result of this finding?

Role-based access control (RBAC) pertains to granting access to resources based on an individual's role within an organization. While this is an important security measure, the situation described does not primarily relate to access permissions based on roles but rather to exploiting social interactions. Therefore, addressing RBAC would not directly resolve the issue of human factors allowing unauthorized access.

Shoulder surfing involves observing someone’s confidential information, typically over their shoulder, such as passwords or PINs. This scenario does not involve the tester observing credentials but instead focuses on physical access granted through social interaction. Thus, while shoulder surfing is a security concern, it does not apply to the circumstances described.

An insider threat refers to risks posed by individuals within the organization who have insider information or access. Although the tester exploited employee behavior, the main issue centers around the manipulation of social dynamics rather than an intentional act by an insider. Therefore, addressing insider threats does not directly tackle the breach of security demonstrated in this case.