Human Risk Management's Eight Dimensions of Secure Behavior Segmentation
Jul 25
Lev Lesokhin Lev Lesokhin is an experienced business technologist, a former software developer, consultant, and tech executive. Having started his career at MITRE, Lev has had many touch-points with cybersecurity thought leaders over the years. In his current role as OutThink's Executive Vice President for Technology and Analytics, he works with customers and industry leaders to build a quantitative framework for evolving security awareness into human risk management.
View Profile
In this article
Assessment Segmentation for Human Risk ManagementLevel of Knowledge - Adaptive Security Awareness TrainingLevel of Access - Adaptive SecurityRole in Organization - Adaptive Security Awareness TrainingWorkplace Exposure - Adaptive Security Awareness TrainingPsychographic Segments - Human Risk Intelligence Attitudes and Alignment - Human Risk Intelligence Phishing Resilience - Human Risk ManagementExhibited Behavior - Human Risk IntelligenceHow Secure Behavior Segmentation Enhances Adaptive Security Awareness TrainingDiscover OutThink's Human Risk Management Platform
Assessment Segmentation for Human Risk Management
Human behavior is hard to predict. Even when specific behaviors are observed, like clicking on links or their access rights to PII, there is no direct correlation between past behavior and future risk.
Past behavior doesn’t indicate what each individual might be experiencing inside themselves. One can’t infer motive from past action.
All users need to be viewed and treated as individuals. At scale, as a starting point, that means they should be viewed through the lens of behavioral segments.
Level of Knowledge - Adaptive Security Awareness Training
Cybersecurity human risk management's knowledge-based criterion requires that security teams consider users according to the following questions to enable adaptive security awareness training:
Have users demonstrated a high level or low level of knowledge?
Have they shown understanding of specific secure behaviors?
Have they ever been trained on the organization’s security policies?
Are they new joiners completely unfamiliar with the organization's cybersecurity culture?
Level of Access - Adaptive Security
In Cybersecurity Human Risk Management, employees and their behaviors should be evaluated according to the following criteria to inform Adaptive Security with relevant user insights:
Do they have Privileged Access?
Do they handle sensitive data such as Personal Identifying Information (PII)?
Do they have access to highly confidential information?
Role in Organization - Adaptive Security Awareness Training
For Human Risk Management to be effective, security teams must factor in the specific characteristics of every users' role to ensure their Adaptive Security Awareness Training program is engaging and relevant to them. Questions they should consider include:
Are users in a role requiring specialized knowledge such as, system administration, domain controllers, engineering, finance, HR or vendor management?
What are the unique tasks they carry out on a daily basis?
What are the associated cyberthreats?
Workplace Exposure - Adaptive Security Awareness Training
When assessing users, Human Risk Management programs must also consider the parameters of their work environment and what their specific role exposes them to, such as:
Are they in an office with good physical security, badge card readers, and key cards?
Are they always in a shared space like a cafe, their home or a WeWork?
Do they travel frequently and have to work often in public places?
Do they have a VPN? Is it fast, easy to set up, configure, and use?
Psychographic Segments - Human Risk Intelligence
The Behavioral Security Grid (BSG), developed by Dr. Angela Sasse and her team at University College London, proposes a definitive list of 16 segments, ranging from Shadow Agents, Abdicators, to Rule Breakers to Champions.
These designations are a function of an individual user’s risk understanding and affective security (emotional response to security policies and recommendations) - both critical, below-the-waterline human risk factors. Security teams benefit from more granular, insightful, and individualized snapshots of their organization's employees and their commitment to secure behaviors. Champions, for instance, can be leveraged to amplify the efforts of the security team across the whole organization.
Attitudes and Alignment - Human Risk Intelligence
User perception of and sentiment towards company cybersecurity policy is a fundamental aspect of human risk management that provides security leaders with a qualitative understanding of their cybersecurity culture's effectiveness and organizational risk posture. The following questions are especially instructive:
How high is user engagement and intention to comply?
Are they dismissive towards security policy?
How confident are they in ability to carry out secure behaviors?
Do they perceive security controls to be in misalignment with their ability to do their job efficiently, causing security policy friction?
Phishing Resilience - Human Risk Management
Though basic phishing resilience metrics have long been a feature of legacy security awareness training programs, human risk management asks employees more penetrating questions about how they respond to phishing attacks and phishing training:
Are they a repeat clicker?
What is their time-to-report to security and how do they rank when benchmarked against the rest of their organization and their industry?
Which deception technique are they most vulnerable to?
Are they a detractor (someone that deletes or ignores obvious phishing
attacks)?
Are they a defender (someone with a demonstrated readiness to help the organization detect and respond to phishing attacks)?
Exhibited Behavior - Human Risk Intelligence
A key aspect of Human Risk Management is leveraging data derived from API integrations with other cybersecurity products to enrich user risk profiles and gain a clearer understanding of their cybersecurity risk profile. Such data addresses relevant questions about security behavior like:
Does the user browse risky sites or use social media extensively?
Have they had multiple DLP violations?
Have they had frequent authentication failures?
Do they use unapproved cloud applications or engage in shadow IT?
Do they have overwhelming email volumes?
Do they leave confidential documents on their desk?
Do they frequently cause malware events on the endpoint?
How Secure Behavior Segmentation Enhances Adaptive Security Awareness Training
Most security professionals sense that tailored content is the key to high learner engagement. But when asked, they often point towards role-based training and little else. Many organizations want to build role-based security training, which by itself is not easy to do.
Role-based training alone isn’t enough for security awareness training to be timely and effective. It’s important to look beyond just role-based content and consider these other dimensions of learner segmentation. When taken together, these eight dimensions of security behavior can greatly increase the relevance and timeliness of security awareness training - thereby delivering the right content to the right people at the right time.
Build effective and sustainable security with OutThink
Lev Lesokhin Lev Lesokhin is an experienced business technologist, a former software developer, consultant, and tech executive. Having started his career at MITRE, Lev has had many touch-points with cybersecurity thought leaders over the years. In his current role as OutThink's Executive Vice President for Technology and Analytics, he works with customers and industry leaders to build a quantitative framework for evolving security awareness into human risk management.
View Profile
In this article
Assessment Segmentation for Human Risk ManagementLevel of Knowledge - Adaptive Security Awareness TrainingLevel of Access - Adaptive SecurityRole in Organization - Adaptive Security Awareness TrainingWorkplace Exposure - Adaptive Security Awareness TrainingPsychographic Segments - Human Risk Intelligence Attitudes and Alignment - Human Risk Intelligence Phishing Resilience - Human Risk ManagementExhibited Behavior - Human Risk IntelligenceHow Secure Behavior Segmentation Enhances Adaptive Security Awareness TrainingDiscover OutThink's Human Risk Management Platform
Build effective and sustainable security with OutThink
Discover OutThink's Human Risk Management Platform
Related Articles