Rethinking Security Awareness: Towards a Structured Cyber HRM Framework

Yesterday morning, May 22, 2024, a steadfast selection of security experts got together for the second meeting of the Cybersecurity HRM Forum. The delegates in attendance included heads of Security GRC, security awareness and heads of cybersecurity who recognize the problems with today’s human risk management approach and would like to see it turned upside-down.

It didn’t hurt that the meeting took place in a private room at the Sky Garden, atop the locally-famous walkie talkie building in London. The discussion was robust and colorful. Here are some of the key points from this roundtable.

The Status Quo: A Broken System

Current security awareness training methods are widely viewed as punitive rather than educational. Employees often regard mandatory training videos, as a form of punishment. This sentiment underscores a broader issue: the current approach to security awareness is ineffective and indefensible.

The cybersecurity landscape is stuck in a time loop, facing the same challenges it did two decades ago. Despite regulatory requirements pushing industries like banking towards advanced cybersecurity measures, many organizations still lag. For example, one bank faced a $250 million fine for failing to manage human risk effectively, with an uphill remediation battle costing as much as $1 billion, highlighting the immense cost of regulatory compliance and the subsequent security improvements needed to meet standards.

However, a compliance-centric focus can stifle genuine engagement and innovation, trapping organizations in a checkbox mentality that prioritizes legal cover over meaningful security improvements. One delegate went so far as to say they wished security were not a compliance requirement at all!

The Business Case for Change

Incidents and their root causes offer valuable insights into the effectiveness of current controls and training. By conducting root cause analyses (RCA) on all incidents, organizations can identify common causes, many of which stem from human error. This approach allows for targeted interventions and the implementation of more effective controls.

Additionally, the cost of time wasted on generic training is staggering. For instance, if 100,000 employees spend two hours each on irrelevant training, it equates to a significant financial drain. Shifting focus to training tailored to specific business risks and behaviors can yield better results and higher engagement. If I must watch something completely irrelevant, how much will I really pay attention?

Challenges in Implementing Cyber HRM

Many security teams, especially outside large financial institutions, are understaffed and under-resourced. For small to medium enterprises, the sophistication level in cybersecurity is notably low. To address these gaps, a Cyber Human Risk Management (CHRM) framework needs to be simple, consumable, and provide clear guidance on best practices.

According to participants of the CHRM Forum, human error and negligence are the most common factors in cybersecurity incidents, emphasizing the need for a streamlined and effective CHRM approach.

Enhancing Engagement

Engagement is the lifeline of any security awareness program. Making the content personal and relevant can significantly increase attention and retention. For example, training that helps employees protect their families may have a higher impact than generic corporate training.

Incentives and punishments can also play a role. Employees with good risk postures could be granted more freedom, such as continued use of personal devices or social media at work. Conversely, high-risk individuals might need additional training or face restrictions until they improve.

A major issue is the lack of a common engagement metric. Without a standardized way to measure and improve engagement, it’s challenging to identify high-risk individuals and provide them with the necessary support.

Prioritizing Controls and Practices

Organizations must prioritize security practices based on impact. Often, a small number of processes account for a large portion of company revenue. Identifying and implementing the most critical security controls is essential. For example, out of 3,000 lines in the ISF SOGP, only 30 security controls might be necessary, with 15 being important and just 5 critical.

Leveraging Internal Influencers

Internal influencers can play an important role in identifying and reporting security issues. However, this can be a politically sensitive topic. Exposing flaws in security controls can lead to backlash from those who designed or audit these controls. A culture that supports and protects these influencers is vital for fostering a proactive security environment.

The Need for a CHRM Framework

The delegates in this session agreed that the cybersecurity industry lacks a standardized, systematic approach to managing human risk. There’s a need for a consistent, methodical framework that prioritizes actions and ensures effective implementation. The proposed CHRM framework aims to address these gaps, bringing structure and coherence to the management of cybersecurity human risk.

By adopting a structured CHRM approach, organizations can move beyond mere compliance, fostering a security culture that is engaging, effective, and resilient.