Addressing the Human Element to Cybersecurity Risks

Addressing the Human Element to Cybersecurity Risks

Creative and Personalized Security Awareness Education

The 2016 Data Breach Investigations Report from Verizon reaffirmed that employees continued to play a major role in many of the data security breaches in the past year. For example, some 63% of confirmed breaches involved weak, default or stolen passwords. Miscellaneous error – staff sending information to the wrong person – accounted for nearly 18% of breaches. Despite a wealth of preventative measures, employees remain one of the costliest factors in a number of data breaches and security incidents, which continue to increase at an alarming rate.

So who is at fault? It’s hard to say because although employees are clearly identified as a source of risk to the business, boards and executives are also increasingly being held responsible for risky cybersecurity practices. Conversely, many boards and executives are looking to those in IT and asking what they are doing to mitigate the risk posed by the ‘human element’. They want to know what is being done to address the security risk that employees pose. They want to see that there is a true awareness program in place that aims for meaningful changes in employee knowledge and behaviour.

Fortunately, there is a lot of good work being done in this area that can help organizations evaluate whether they are on the right track in addressing the human threat. Learning from the world’s most risk-aware companies, the best awareness programs do the following common things:

  1. They assess and analyze the real human performance within the organization;
  2. They create a plan for sustained improvement; and
  3. They introduce a series of educational interventions (e.g. training and reinforcement) targeted at changing behaviour and encouraging a risk-aware culture.

Network Monitoring Tools

Network monitoring tools for user behavioral analytics (UBA), are quickly emerging to identify patterns and signs that reveal the presence of bad actors in the IT environment.  An exciting use of UBA is tying it directly to “just-in-time-training”. For example, when Sally saves a company document to an unapproved cloud storage site such as Dropbox, she may be faced with a system generated pop-up that reminds her of the company’s policy on only storing company documents in an authorized environment. If Sally does it again, the system then might provide a quick video on reasons why it is best to avoid an unapproved cloud storage system. Months later, if Sally makes the same mistake again, she might be automatically enrolled in a 15-minute course on approved cloud storage. That is a perfect example of delivering the right training to the right person at the right time.


Personalized training can also take the form of simulated phishing and social engineering attacks that reveal what risky actions employees are most likely to take when given the opportunity. Such simulations can employ a wide variety of clever techniques to gather passwords, obtain access to sensitive information, or gain physical access through tactics as simple as an email or a phone call, tailgating, or leaving dummy USB devices in the work environment.

Assessing Competence

Organizations that take the human problem seriously know that they must examine the current state of employee knowledge, skills and attitudes toward data security. Rather than giving everyone training on a whole slew of topics – the most expensive and most time-consuming option – individuals can be trained on what they might be lacking, by assessing competence on a case-by-case basis. For instance, Sally has received five simulated phishing attempts over the past year and has forwarded each of them to IT without clicking the link, whereas Mike has bitten on three of those five phishing campaigns. Based on that information, one can conclude that Sally probably does not need phishing training, but Mike definitely does. Identifying risk factors at the individual level saves time and money, as the organization likely does not need to train Sally and Mike equally.

Planning your Security Awareness Program

Like anything in life, planning is key when it comes to developing a successful, comprehensive awareness program that addresses identified risk factors. As part of that plan, organizations should ask themselves if they have set out to implement both formal and informal educational programs. Conventional wisdom would say formal training, often web-based, is the way to go. This is largely due to the ease with which employees can be held accountable for taking training. But the education program cannot stop there if the organization really wants to create a change in behaviour. The best programs do not rely solely on formal training, instead they rely on a variety of educational measures to communicate desired  knowledge and behaviour to employees.

Once an organization has a solid plan, it needs to quickly inventory whether or not it has the capacity to deliver the desired program. For example, does the organization have the capacity to deliver educational reinforcement in the form of games, videos and posters? Are executives on board and willing to champion messages in their daily communication with employees? Are all the right people in place to support and help carry out the program? Is the program supported by the right vendors and an appropriate budget? Organizational capacity to successfully deploy a program is critical to carrying out the plan.

Even the organization that has identified it specific risk factors, developed a plan, and is going to implement formal and informal training, can do better by assessing whether it has a culture of security. This is hard to measure, but not impossible. Information gathering at this level calls for rigorous employee knowledge assessments. An example would be the Security Culture Diagnostic Survey that was designed to identify and compare security cultures in organizations. It can be found in the book People-Centric Security: Transforming Your Enterprise Security Culture, by Lance Hayden. The Cybercrime and Real Behaviour Change Toolkit is also a great resource.

Threats are not slowing down and the best efforts of employees need to keep up. Employee security awareness education must continually adapt to new and emerging threats. The best way toward this goal is through a robust, risk-aligned and adaptive awareness program.

For assistance with building a strong security awareness program or for more tips on creative training techniques, contact PRIVATECH