Human Risk Management and Security Awareness Tactics

Engagement Strategies for Cybersecurity Human Risk Management

Aug 16

Lev Lesokhin Lev Lesokhin is an experienced business technologist, a former software developer, consultant, and tech executive. Having started his career at MITRE, Lev has had many touch-points with cybersecurity thought leaders over the years. In his current role as OutThink's Executive Vice President for Technology and Analytics, he works with customers and industry leaders to build a quantitative framework for evolving security awareness into human risk management.

View Profile

In this article

Engagement Strategies for Cybersecurity Human Risk Management Engagement Signals in Cybersecurity Human Risk Management - Learner Feedback Engagement Metrics vs. Outcome Metrics for Security Fostering Security Awareness Engagement in the Business Leadership Incorporating Security Awareness Champions for Team Engagement In-Training Engagement Engagement After Security Awareness Training Engagement is a Pillar of Cybersecurity Human Risk Management

Discover OutThink's Human Risk Management Platform

Watch Demo

Engagement Strategies for Cybersecurity Human Risk Management

The Cybersecurity Human Risk Management Forum roundtable in New York City brought together participants from leading organizations such as Mass Mutual, Natixis, Apple Bank, Goldman Sachs, and Columbia University for an in-depth discussion on managing the complex risk of human-IT interaction. As we waded into a discussion about the way security engagement relates to secure behaviors, the conversation diverged into several threads, including security awareness, outcome metrics, and leadership involvement in security management.

Engagement Signals in Cybersecurity Human Risk Management - Learner Feedback

Early in the discussion, the group came onto the topic of security friction. Users often chafe under the yoke of restrictive security policies - how security controls can get in the way of doing the job. The net effect of this friction is that people just bypass these controls. One of the CISOs in the room shared an anecdote from a past role (to be clear, NOT one of the companies in the room) of a security colleague figuring out his own way to bypass the firewall in order to get to certain online services. Policy resistance is a natural human tendency, even if said human is on the very team meant to implement the policy.

The key, it turns out, is to engage IT users in understanding the sources of security friction, and then to mutually find solutions that get the business process working in a secure way. The holy grail is to get that level of business engagement to such a state where the business reaches out to the security team proactively, asking for help to build security into new projects from their start.

Engagement Metrics vs. Outcome Metrics for Security

One of the CISOs in the room pointed out the importance of measuring the impact of awareness programs. One way to measure impact has traditionally been through phishing simulations. The status quo of measuring completions as the only specific and relevant metric continues to be the uncomfortable norm. Engagement is important for the security team to measure, but likely not a metric for company leadership to track.

Outcome metrics came up as a viable alternative to training completion rates. Metrics like dwell time measure meaningful resilience capabilities and can be continually improved. There are several others that will be the subject of a future post.

Example Outcome Metrics:

Dwell time: Time between the first click and phishing report.

Reporting rate: Percentage of phishing emails reported.

Reduction in policy violations: Fewer incidents of security control bypassing.

Fostering Security Awareness Engagement in the Business Leadership

The topic of engaging business leadership in managing security in a human-centric way always comes up in these roundtables. Today’s session did not disappoint. The consensus around the table was that cybersecurity Human Risk Management is a risk the business needs to own, and the CISO’s role is to advise the business leadership how to manage this risk.

One of the CISOs took us in the direction of having role-based training for the business leaders in the organization. Upon reflection, this is really a matter of the CISO having a serious conversation with the relevant business leaders to level set the role and responsibilities of the business owner in setting company culture and strategy for collective ownership of security risk. This needs to be an ongoing conversation between business and security leaders in order to truly engage at the executive level. Leadership’s involvement is critical, as noted by Gartner.

Incorporating Security Awareness Champions for Team Engagement

Another take on engagement is to run an effective security champion, or ambassador, program. Our CHRM Research Report spells out the behavioral segmentation of OutThink’s entire learner base, showing that 24% of learners turn out to be Security Champions. Running a process that identifies each individual’s behavioral segment can help identify the best candidates for a security champion program.

The members of the roundtable agreed that champions will often appear more approachable than the CISO’s organization for questions about security or even feedback to the security team. Best case for engagement in this vein is to foster discussions about secure processes and behaviors inside and among the teams in the business. Security champions should nurture and facilitate such conversations.

In-Training Engagement

Engagement in security awareness training is critical for the training to be successful. While it may seem like a good idea to force engagement through gamification or interactive content, forced engagement can turn into a net negative. If a busy executive is forced to play a “security game” in order to consume irrelevant content, this experience will only build resentment towards the security team.

This has the opposite effect of all the forms of engagement described in this post. Engagement has to be real because the content is hyper-targeted and relevant. It cannot be forced atop “one size fits all” content.

Of course, we want to avoid the bottom right quadrant of this Engagement-Completion matrix. But we do want to track the learners that do fall into that bottom right category: their lack of engagement tells us something useful. For those who show themselves to be high-risk IT users through their actions, this insight can help the security team intervene in time to prevent an adverse event from happening.

Engagement After Security Awareness Training

The level of actual engagement the security team generates with the employee base is most meaningful, of course, outside and after the training interaction. Actual engagement can be seen in a variety of forms:

Providing feedback on security controls: Teams share experiences with control friction, either through champions or directly.

Interacting with training nudges: Employees respond to follow-ups, such as explaining why they clicked on a phishing simulation.

Involving the security team in new initiatives: Business teams proactively seek advice from the security team to ensure new projects are secure from the start.

All in all, stimulating employee engagement in security awareness training programs is a holistic, organization-wide effort that requires a layered approach.

Engagement is a Pillar of Cybersecurity Human Risk Management

Engagement is obviously critical for the security team to move up the Cyber HRM maturity journey. But engagement with training content is only one form of engagement, and perhaps the spark that starts the journey. There are many other ways the CISO should measure and seek engagement between employees and the business. We’ll continue writing about different approaches and strategies security leaders can take to foster employee engagement with their cybersecurity awareness programs.

To discover more actionable strategies for Human Risk Management, visit the CHRM Forum and explore how OutThink’s innovative solutions can support your security journey.

Enjoyed this blog post? Share it with someone!Share