In this article we’ll discuss one of the main aspects of cyber security human risk management: targeting behavioural change within an organization.
The discussion is an excerpt of the presentation held by Dr Shorful Islam Chief Product & Data officer at OutThink, during the Digital 2020 ISF World Congress entitled Measuring Human Risk and targeting Behavioural Change – A real-world FTSE100 example.
Human risk in cyber security
What is cyber security human risk management?
Most CISOs know that people are the major cause of security incidences or data breaches (ICO, 2019 – 90.7% of security incidences due to human error). The question that arises is: how do we prevent human error in cyber-security? Cyber security human risk management is a combination of psychology, data science and technology that allows measuring human risk and target behaviour change.
Why the human mind is key to cyber security?
Our client, a CISO of a FTSE company, wanted to use our knowledge to solve the problem of behavioural change within his organization. Dr Shorful explains that it’s possible to use theories of behaviour from psychology to predict consumer behaviours in marketingThe same knowledge can be used in cyber security, human risk management to affect behaviour change.
Dr Shorful points out that in his role as a data scientist in the marketing space, he worked on predicting customer behaviours such as “churn” or customer attrition. By segmenting based on churn, it’s possible to create customer segmentation to understand the different type of customers who churn. This information is finally used to stop the customers from leaving.
One of the biggest challenges faced by a CISO is to secure the organization, without additional tasks to the employees. So our client asked us to use our tools, without additional extra work from the employees. Plus, whatever we would find must be actionable.
Cyber Security Human Risk Management Platform
Using our cloud human risk management platform (SaaS), built from the ground up to collect data and using theories from behaviours of psychology, adapted for the cyber security space by our Chief Scientific Advisor, Prof. Angela Sasse, and her PhD students, we could measure and manage human risk. More than that, we are interested in finding out, why employees with risky behaviour are more likely to cause a security breach.
Measure Human Aspect Awareness in Cyber Security
Once our clients’ employees had completed the security awareness training we were able to identify those individuals who were high risk and segmented them into different groups.
How to Drive Behaviour Change in Cyber Security?
We have extracted substantial data and decided to focus on 4 groups of people., out of which 2 were low risk and the other 2 were high risk. We’ll start with the low cyber security risk individuals.
- Followers. This group will likely follow the security behaviours they witness around them. The intervention for this group of employees is to educate them through posters, webinars and regular updates on what are good security behaviours. Moreover, direct them towards Champions who can advise on the right thing to do when they are unsure of what to do.
- Champions. This small group is composed of individuals with high knowledge of cyber security. They also believe that information security is a good thing. The intervention for this group is to recruit them as Security Champions within the organisation. Then, empower them with the right knowledge, tools and resources . This will allow them to continue exhibiting safe behaviours but also to confidently help other employees.
Biggest Risk in Cyber Security is Human Risk
The two high risk groups are the most important for cyber security human risk management. However, their behaviour is high risk for different reasons. Understanding their behaviour can help hugely to prevent human error in cyber security. The two high risk groups are the following:
- Naive users. Their intention is good, however they don’t have the knowledge to stay safe. The intervention identified for this group consisted in social engineering trainings.
- Shadow agents. These individuals have the knowledge but don’t think that the rules apply to them. For them, it was decided that the SOC (Security Operations Center) would prioritise alerts from this group.
This knowledge helped our client make the first move in managing human risk and targeting the different groups of employees for behaviour change.
How can OutThink help you manage Human Risk?
If you wish to deliver targeted security awareness training, identify who are the high risk employees and learn how to support them better. Basically, if you wish to manage human risk in cyber security, please watch the following video.
Take the first step in securing your organization!