As humans, we make mistakes because we are, well, human. There is no getting around that. However, how we manage that human risk makes the difference in how an organisation handles a security incident.
The simple definition of human risk encompasses loss to an organisation caused by human factors, including people's decisions and non-decisions, actions and non-actions. This loss can be both financial and non-financial loss.
Not all of the responsibility falls on the employee. Human risk can also be caused by how an organisation manages its people and what it demands from them.
With these two competing factors, it is a well-known fact that 90% of all security incidents involve employee security behaviour. When incidents occur, we can see serious issues of data loss, financial loss, or reputational damage.
The employee's within an organisation are essential to day-to-day operations. These are the people that represent the business and the brand, deal with customers, and handle sensitive data.
The CISO and the security awareness teams must demonstrate continued improvement across every level of security behaviours, risks, and incidents.
This can be achieved from a security behaviour perspective by decreasing the number and severity of poor security behaviours. Security awareness teams need to use data and actionable insights versus a pray-and-spray method for all employees.
The entire culture of an organisation needs to shift, which means hurdles must be overcome on a psychological and sociological level.
Awareness is not enough to reduce incidents because all they do is communicate risks and the desired behaviour. You need to ensure that employees understand the context of the content and are qualified and motivated to implement it.
As we have noted, most awareness teams only focus on awareness which is just the tip of the iceberg. Awareness has a small impact on security behaviour and almost no impact on avoiding incidents.
To correctly manage human risk, you need data insights from within your organisation to understand where the problem areas are.
With data insights into an employee's behaviour, awareness teams can understand risky employees and teams. Then teams and individuals will be able to undertake data-driven security coaching and engagement, which empowers them to prevent breaches.
If you are tackling security behaviours correctly, you should see a decrease in the number of risks resulting from poor behaviour.
By setting up automations when risky behaviour occurs, security teams can intervene and support if people make security mistakes which can help drastically reduce more significant incidents.
A mature awareness team within an organisation will focus on driving behaviour improvement. They will ensure that human risk management is ingrained in every aspect of the business. The security behaviours of individual staff need to be as prevalent as their usual day-to-day tasks.
It is possible to strongly bias employees' security decisions through various methods that lead to a consistent behaviour change.
From a capability standpoint, you can implement employee tools such as a standard phishing reporting button and have processes in place to make it easier for staff to make the right decisions.
Implementing ChatOps within your organisation allows employees to be involved in security conversations by helping them understand what is happening from a software development and operations standpoint. You can even automate the chat clients to be relevant for notifying staff about certain security behaviours.
Outside of the current capability of your employees and the tools they have at their disposal, you need to ensure that the interest in security is consistent.
Utilising a rewards programme within your organisation will yield massive results. Whenever somebody completes a task that benefits the security of an organisation, a reward should be given. 78% of employees say recognition motivates them in their job, and 68% feel that recognition with a reward makes them feel valued and motivated at work.
Utilising a gamification model within your team allows for friendly competition and a drive for each team member to succeed. Completing tasks that place you on a leaderboard with your peers will create a win-win situation in which the employee is engaged, learning is made more fun, and the employee is more likely to remember the behaviours they are being taught.
Finally, it is essential to make security continuously present throughout their working day while not interfering with the tasks they need to complete. Using nudges, you can gently remind staff of proper security behaviour without being invasive. Generic phishing simulations do not have the same effect, and it has been proven that it doesn't matter what you show in your phishing simulation; it does not make an impact. In comparison, a nudge provides an emotional intervention and changes employee behaviour.
To recap, it is vitally important that the security awareness team understands that managing human risk involves taking action at every level.
The core foundation of reducing incidents is making security behaviours part of the broader company culture. Employees need to feel empowered to make decisions about a particular behaviour that is in the best interest of the company quickly and with confidence.
There needs to be year-round coaching and plans to help improve this behaviour. Tailored training and frequent nudges can easily be achieved when behaviours deviate off track. Having automations in place when poor security behaviours occur prevents them from becoming future risks to the company.
Even though you have done all in your power to eliminate risk, there will still be a residual risk. Ensure that the security team is focused on manually triaging residual dangers before they become incidents.
Finally, at the peak of your pyramid of defence for managing human risks, there should be a minimal peak which involves responding to incidents. As long as you are targetting the root of the problem, ensuring that human risk behaviour is installed in the mindset of every single employee, then the time you spend dealing with incidents should be drastically reduced.