Human Risk Management's Eight Dimensions of Secure Behavior Segmentation

Human Risk Management's Eight Dimensions of Secure Behavior Segmentation

Jul 25

Lev Lesokhin
Lev Lesokhin Lev Lesokhin is an experienced business technologist, a former software developer, consultant, and tech executive. Having started his career at MITRE, Lev has had many touch-points with cybersecurity thought leaders over the years. In his current role as OutThink's Executive Vice President for Technology and Analytics, he works with customers and industry leaders to build a quantitative framework for evolving security awareness into human risk management.
View Profile
Share

Assessment Segmentation for Human Risk Management

Human behavior is hard to predict. Even when specific behaviors are observed, like clicking on links or their access rights to PII, there is no direct correlation between past behavior and future risk.
Past behavior doesn’t indicate what each individual might be experiencing inside themselves. One can’t infer motive from past action.
All users need to be viewed and treated as individuals. At scale, as a starting point, that means they should be viewed through the lens of behavioral segments.

Level of Knowledge - Adaptive Security Awareness Training

Cybersecurity human risk management's knowledge-based criterion requires that security teams consider users according to the following questions to enable adaptive security awareness training:
Have users demonstrated a high level or low level of knowledge?
Have they shown understanding of specific secure behaviors?
Have they ever been trained on the organization’s security policies?
Are they new joiners completely unfamiliar with the organization's cybersecurity culture?

Level of Access - Adaptive Security

In Cybersecurity Human Risk Management, employees and their behaviors should be evaluated according to the following criteria to inform Adaptive Security with relevant user insights:
Do they have Privileged Access?
Do they handle sensitive data such as Personal Identifying Information (PII)?
Do they have access to highly confidential information?

Role in Organization - Adaptive Security Awareness Training

For Human Risk Management to be effective, security teams must factor in the specific characteristics of every users' role to ensure their Adaptive Security Awareness Training program is engaging and relevant to them. Questions they should consider include:
Are users in a role requiring specialized knowledge such as, system administration, domain controllers, engineering, finance, HR or vendor management?
What are the unique tasks they carry out on a daily basis?
What are the associated cyberthreats?

Workplace Exposure - Adaptive Security Awareness Training

When assessing users, Human Risk Management programs must also consider the parameters of their work environment and what their specific role exposes them to, such as:
Are they in an office with good physical security, badge card readers, and key cards?
Are they always in a shared space like a cafe, their home or a WeWork?
Do they travel frequently and have to work often in public places?
Do they have a VPN? Is it fast, easy to set up, configure, and use?

Psychographic Segments - Human Risk Intelligence

The Behavioral Security Grid (BSG), developed by Dr. Angela Sasse and her team at University College London, proposes a definitive list of 16 segments, ranging from Shadow Agents, Abdicators, to Rule Breakers to Champions.
These designations are a function of an individual user’s risk understanding and affective security (emotional response to security policies and recommendations) - both critical, below-the-waterline human risk factors. Security teams benefit from more granular, insightful, and individualized snapshots of their organization's employees and their commitment to secure behaviors. Champions, for instance, can be leveraged to amplify the efforts of the security team across the whole organization.

Attitudes and Alignment - Human Risk Intelligence

User perception of and sentiment towards company cybersecurity policy is a fundamental aspect of human risk management that provides security leaders with a qualitative understanding of their cybersecurity culture's effectiveness and organizational risk posture. The following questions are especially instructive:
How high is user engagement and intention to comply?
Are they dismissive towards security policy?
How confident are they in ability to carry out secure behaviors?
Do they perceive security controls to be in misalignment with their ability to do their job efficiently, causing security policy friction?

Phishing Resilience - Human Risk Management

Though basic phishing resilience metrics have long been a feature of legacy security awareness training programs, human risk management asks employees more penetrating questions about how they respond to phishing attacks and phishing training:
Are they a repeat clicker?
What is their time-to-report to security and how do they rank when benchmarked against the rest of their organization and their industry?
Which deception technique are they most vulnerable to?
Are they a detractor (someone that deletes or ignores obvious phishing attacks)?
Are they a defender (someone with a demonstrated readiness to help the organization detect and respond to phishing attacks)?

Exhibited Behavior - Human Risk Intelligence

A key aspect of Human Risk Management is leveraging data derived from API integrations with other cybersecurity products to enrich user risk profiles and gain a clearer understanding of their cybersecurity risk profile. Such data addresses relevant questions about security behavior like:
Does the user browse risky sites or use social media extensively?
Have they had multiple DLP violations?
Have they had frequent authentication failures?
Do they use unapproved cloud applications or engage in shadow IT?
Do they have overwhelming email volumes?
Do they leave confidential documents on their desk?
Do they frequently cause malware events on the endpoint?

How Secure Behavior Segmentation Enhances Adaptive Security Awareness Training

Most security professionals sense that tailored content is the key to high learner engagement. But when asked, they often point towards role-based training and little else. Many organizations want to build role-based security training, which by itself is not easy to do.
Role-based training alone isn’t enough for security awareness training to be timely and effective. It’s important to look beyond just role-based content and consider these other dimensions of learner segmentation. When taken together, these eight dimensions of security behavior can greatly increase the relevance and timeliness of security awareness training - thereby delivering the right content to the right people at the right time.
Enjoyed this blog post? Share it with someone!Share

Build effective and sustainable security with OutThink

Build effective and sustainable security with OutThink

Related Articles
Risk Quantification for Cybersecurity Human Risk Management
Lev Lesokhin
13/12/2024

Risk Quantification for Cybersecurity Human Risk Management

Read More about AI-Native Cybersecurity Human Risk Management
Empowering Organizations with Adaptive Security Awareness Training
Roberto Ishmael Pennino
07/11/2024

Empowering Organizations with Adaptive Security Awareness Training

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity Awareness Training for Remote Workforces
Roberto Ishmael Pennino
25/10/2024

Cybersecurity Awareness Training for Remote Workforces

Read More about AI-Native Cybersecurity Human Risk Management
Human Risk Management Gets Adaptive
Lev Lesokhin
08/10/2024

Human Risk Management Gets Adaptive

Read More about AI-Native Cybersecurity Human Risk Management
What is Cybersecurity Human Risk Management? What You Need to Know
Lev Lesokhin
23/09/2024

What is Cybersecurity Human Risk Management? What You Need to Know

Read More about AI-Native Cybersecurity Human Risk Management
Engagement Strategies for Cybersecurity Human Risk Management
Lev Lesokhin
16/08/2024

Engagement Strategies for Cybersecurity Human Risk Management

Read More about AI-Native Cybersecurity Human Risk Management
Enhance Your Phishing Training With Outthink
Lavinia Manocha
02/08/2024

Enhance Your Phishing Training With Outthink

Read More about AI-Native Cybersecurity Human Risk Management
Adaptive Security Awareness Training for Frontline Workers
Lavinia Manocha
26/07/2024

Adaptive Security Awareness Training for Frontline Workers

Read More about AI-Native Cybersecurity Human Risk Management
The Role of Security Awareness Training After IT Outages
Lev Lesokhin
26/07/2024

The Role of Security Awareness Training After IT Outages

Read More about AI-Native Cybersecurity Human Risk Management
Human Risk Management's Eight Dimensions of Secure Behavior Segmentation
Lev Lesokhin
25/07/2024

Human Risk Management's Eight Dimensions of Secure Behavior Segmentation

Read More about AI-Native Cybersecurity Human Risk Management
State-Sponsored Phishing Attacks Target 40,000 Corporate Users: What This Means for Protecting Your Business
Lev Lesokhin
18/07/2024

State-Sponsored Phishing Attacks Target 40,000 Corporate Users: What This Means for Protecting Your Business

Read More about AI-Native Cybersecurity Human Risk Management
Adaptive Security Awareness Training: Unlearning and Relearning Routines
Lev Lesokhin
10/07/2024

Adaptive Security Awareness Training: Unlearning and Relearning Routines

Read More about AI-Native Cybersecurity Human Risk Management
Did You Think Your Password Was Secure? Let’s Talk Password Security
Lev Lesokhin
24/05/2024

Did You Think Your Password Was Secure? Let’s Talk Password Security

Read More about AI-Native Cybersecurity Human Risk Management
Rethinking Security Awareness: Towards a Cybersecurity Human Risk Management Framework
Lev Lesokhin
23/05/2024

Rethinking Security Awareness: Towards a Cybersecurity Human Risk Management Framework

Read More about AI-Native Cybersecurity Human Risk Management
Password Security: Why the UK is Banning Generic Passwords
Lev Lesokhin
17/05/2024

Password Security: Why the UK is Banning Generic Passwords

Read More about AI-Native Cybersecurity Human Risk Management
Instagram Security Awareness Training: A Step-by-Step Guide
Lev Lesokhin
10/05/2024

Instagram Security Awareness Training: A Step-by-Step Guide

Read More about AI-Native Cybersecurity Human Risk Management
Cybersecurity Human Risk Management Forum Kicks Off in London
Lev Lesokhin
18/04/2024

Cybersecurity Human Risk Management Forum Kicks Off in London

Read More about AI-Native Cybersecurity Human Risk Management
Gamification Can Enhance Security Awareness Training – Badges and Leaderboards Are Just the First Step
Rory Attwood
31/01/2024

Gamification Can Enhance Security Awareness Training – Badges and Leaderboards Are Just the First Step

Read More about AI-Native Cybersecurity Human Risk Management