“Imagine a future where instead of placing all of the onus on the employees, security actually adapts their technology and their processes to the people they are trying to protect,” Jinan Budge, a principal analyst with Forrester, said during the Forrester Security & Risk Forum 2022 on Nov. 8.
Right now, security awareness and training largely rely on outdated, compliance-based training. Most employees consider security training a boring task that takes away time they need to do their jobs. Budge outlined a different approach that could have the power to change the perception and efficacy of organizations’ security.
Understanding Security Behaviors
Budge advocated for organizations to expand their idea of security behaviors. Phishing link click rates are a common measure of security program success, but this is just one human behavior. “Security behaviors can include things like using a password manager, using multifactor authentication, using VPNs, locking your devices,” Budge explained.
Each security behavior is linked to potential risk. If organizations do not recognize those behaviors, their security programs cannot minimize the associated risk.
A National Institute of Standards and Technology (NIST) study found that 84% of organizations use completion rates as a measure of security program effectiveness.
Security awareness and training educates people on security behaviors, but completion rates do not tell organizations whether security training has been effective in changing human behavior. Does security training actually have a positive impact on risky security behavior? Completion rates cannot answer that question.
Quantifying Human Risk
Instead of looking at just completion rates, Budge urged organizations to quantify human risk. Integrations with security tools can help organizations capture data that paints a picture of people’s security behavior. Once that risk is quantified, organizations can home in on the kind of security training that is needed.
“You can train people who need it on particular topics, rather than training them on all of the things, all of the time,” Budge pointed out.
Leveraging Risk-Based Interventions
Once organizations have a handle on human risk, they can take action to do something about it. Organizations can intervene to change behavior. “One of the very beautiful things about measuring human risk is that it allows you to intervene at the point of bad behavior occurring,” Budge expanded.
Interventions can be both training-based and policy-based. For example, there is an opportunity to provide a coaching moment when someone is entering a poor password. Organizations can intervene and let that person know how their security behavior compares to their colleagues’, according to Budge.
Organizations can also change their policies in response to quantified human risk. For example, organizations can communicate that certain users do not have access to certain privileges based on risk measurements.
Budge emphasized the continuing importance of content. “There is always going to be a need to communicate, engage, influence your various stakeholders. And to do that, to help them build critical thinking about cybersecurity, you will need content,” she said.
That doesn’t mean content shouldn’t evolve. She pushed for more engaging content that uses humor to connect with people and effectively communicate information about security awareness.
Solidifying Security Culture
Defining security culture can be challenging, but it is an important step to a better future for awareness and training. “Without having a strong security culture, you are not going to be getting people interested in security. You’re not going to get the funding. You’re not going to get the buy-in that you need. You’re not going to get the stakeholders supporting your business programs,” said Budge.
Organizations are beginning to have more access to tools to help them define and adopt security culture. Budge pointed to startups, and some larger vendors, that have developed culture mapping platforms that help organizations measure the attitudes, knowledge, and responsibilities around cybersecurity.
This brighter future for security awareness and training is about six to 10 years out, according to Budge. But human risk management can help organizations build the foundation they need to reach that future: adaptive human protection in security.