In Cybersecurity, Mitigating Human Risk Goes Far Beyond Training

COMMENTARY

As the stakes of cyberattacks continue to rise, organizations are throwing more and more money at innovative new services and equipment to thwart them. But, at the same time, many are still taking a customary, one-size-fits-all approach to securing perhaps the most critical threat vector: the human element. There's little to be gained by spending more on locks and security guards if someone unknowingly leaves the door open for robbers into the building.

Year after year, the human element consistently ranks among the greatest risk factors in cybersecurity — it is projected to play a central role in 68% to 90% of breaches in 2024 — and the standard practice of mandated security awareness trainings isn't driving improvement, as stolen credentials, data leaks, and targeted phishing emails remain prevalent. To address this critical vulnerability, chief information security officers (CISOs) must take a more data-driven, tailored approach to mitigating human risk that goes beyond just training — one that requires human-by-design cybersecurity.

Quantifying Risk

Security awareness training helps, but it doesn't complete the job, as it treats every employee the same. In reality, some users are highly adept at sniffing out threats, while others require additional support. Some subsets of users are targeted with great regularity, while others receive very few phishing attempts. As such, a human-centric security approach must begin with a detailed understanding of the organization's distribution of risk.

The first step is pinning down those at the company who are most at risk. Studies have found that just 8% of employees cause 80% of incidents, and many in this subset typically are repeat offenders. Certain individuals are also targeted more frequently, due to their prominence: Managers receive 2.5 times more phishing emails on average than non-managers, and the rate of attempts goes up for all employees the longer they remain at a company, nearly doubling every three years.

These figures can vary widely between organizations, so it's key for businesses to perform their own analysis. This can be done by analyzing data that's often overlooked — like the logs generated by security endpoints when they prevent employees from executing malware — and gathering patterns from it. In the ideal framework, security administrators should be able to pull data from all manner of security tools to understand what good or risky security decisions users make on an ongoing basis and build a profile on users' individual security risk.

Managing Risk

Much like financial institutions with credit scores or insurance companies with premiums, organizations can then begin leveraging these risk scores to create a personalized, adaptive approach to security, beginning with tailored training.

Rather than making all employees complete the same generic security awareness modules (which, let's be honest, most people will just blow through with little attention paid), individuals who have proven themselves a low risk can instead be served a light slate of policy reminders and checklists. Those on the opposite end of the spectrum, who are either frequently targeted or will be, can be mandated to take more rigorous training with a focus on the topics related to the risks they face.

With detailed insights into behavior patterns, organizations can also reward good security practices with recognition. They can then take steps to stem bad habits with interventions like adaptive nudges — personalized messages sent out at the right time, or context to prevent users from falling victim to attacks — or strategies like tighter email security filtering, stricter browsing permissions, or reducing the time that multifactor authentication tokens are valid on at-risk users' machines.

It's important that these practices are carried out with transparency so employees know how the security team plans on using this collected data. When security teams take a constructive stance — for example, by sending out report cards that affirm positive behavior and suggest areas to improve — employees almost universally respond with openness and appreciation. For the small percentage of users in the high-risk group, extra care should be taken to explain how the additional training and adaptive measures are designed to help them get better.

Tracking Improvement

Collecting and analyzing security events also allows administrators to take a more data-driven approach to measuring results and, ideally, improvement. By gauging their baseline, security teams can then track the number of risky behaviors occurring on the network over time and dial in the best methods of "bubble wrapping" subsets of the user base to reduce future occurrences.

This measurability stands in stark contrast to conventional human risk mitigation practices (i.e., simple awareness training), which can often take the form of a black hole in terms of understanding impact and, in turn, return on investment (ROI). With an objective, outcomes-first approach, CISOs can both deliver security improvement and clearly demonstrate the success of the investment to the rest of the C-suite.

As threat actors get smarter about how they target employees, the onus is on organizations and their cybersecurity partners to create a strong line of defense — and the human element is a critical component. Companies that take a more intelligent, personalized approach to curbing risky behavior will stand the best chance of safeguarding their organizations against cyberattacks, all while making more efficient use of their security budgets.