HRM & Cybersecurity Blog | Living Security

How to Factor Human Behavior into Your Risk Management in Cybersecurity

Written by Living Security Team | October 19, 2022

Understanding risks before they happen makes the difference between a surprise, hasty clean-up reaction and a successfully blocked attack, but at the rate threats adapt and change, how can you stay ahead of them? To know what’s coming, you need to know where the greatest risks might be. More specifically, your users – the humans involved in cybersecurity risk – need to be ready. The key to developing successful risk management techniques in cyber security risk is understanding the human element.  Through monitoring risky behaviors, analyzing potential weaknesses, and deploying strategic training, CISOs can turn human risk into human empowerment and build a cybersecurity culture from strength, not fear. 

What Is Cybersecurity Risk Management?

Cybersecurity risk management is an overall approach to identifying, analyzing, evaluating, and lastly managing your organization's cybersecurity threats. The goal of organizations implementing risk management in cybersecurity is to ensure the most critical threats are handled in a timely manner. However, what cybersecurity risk management frameworks often fail to understand is the human element in risk.

Why is Human Behavior Key to Risk Management?

When it comes to risk management in cyber security, only one thing is certain: There is no certainty. Threats change daily, even hourly, and determining which potential threats are the highest priority requires awareness, keen insight, and adaptability. Effectively safeguarding a company means being able to handle risks posed by external threats that are often unpredictable. 

But it’s not just the external threats that put a company at risk: Internal ones can be just as damaging, if not more. A 2022 Data Breaches Investigation Report by Verizon found that 82% of data breaches involve a human element. Managing human risk effectively can make the difference between a secure frontline defense and one that’s exposed, either through human error or inaction. 

How Human Behavior Affects Cybersecurity

Because human behaviors have such an impact on security, it's clear that a great cybersecurity framework is going to take this into account. After all, what is risk management in cyber security if it doesn’t include the greatest source of risk?

Some of the most common human behaviors that lead to security fails include:

Falling for Phishing Attacks

Most people are familiar with phishing attacks — those emails we all get that look slightly off, too good to be true, or from someone who we don’t recognize, claiming to be part of our organization — but despite this general familiarity, it’s surprising how often people still fall for them. One click on a link that looks close enough can compromise a whole organization. It’s important to educate the riskiest individuals or groups within an organization so that they can identify a phishing email and take the correct action. And ideally it’s not a “one and done,” “check the box” training. Consider sending one-off “tests” to see who clicks, who forwards to the security team, and who ignores it completely. 

Lack of Password Security

Having a secure password is important, but sometimes, people take shortcuts. Choosing a weak or common password, or something that can easily be guessed, is like leaving your front door wide open and asking someone to steal your TV. Keeping on top of weak or common passwords and informing users that they need to change and strengthen them is a simple but effective way to add a layer of security and enhance an organization’s risk mitigation defenses. Also helpful? A company-wide password vault that reminds them automatically. The trick is ensuring everyone uses it. 

Falling for Fake Software Updates

This one is similar to a traditional phishing attack, but can be more sophisticated, and harder to identify. Most individuals want to comply with keeping their software up to date, thinking that they’re helping, but they’re really installing malware. So how do you train them to be more discerning? The next time a popup or email appears before them, will they know what to do?

Lack of Communication

The bottom line with all of these common human risks to cybersecurity is information. When individuals know what to do, they don’t have to guess. This means keeping the lines of communication open — not to risk, but to education. When a company’s risk management strategy includes and prioritizes human risk management, it’s stronger, safer, and its employees are more empowered because they know what to do. 

How to Manage Human Risk Effectively

The solutions that will lead to a more effective risk management strategy should always begin with gathering more information. You wouldn’t set out on a hiking trip or vacation to a country you’ve never visited without first informing yourself about what might be ahead of you. Whatever your organization may be  — from the specialized needs of the healthcare industry to the unique needs of the software industry — your first step is gathering information about what’s already happening within your organization. 

Monitoring

It’s likely that your organization is already monitoring an array of things, or has the capability to do so. How often are people failing at login or using incorrect passwords? How often are they clicking phishing links, or visiting unsecured websites? Are there specialized needs within your organization or industry, and are you looking at them? Of what you’re already doing, what could be automated to gather data about employee behaviors related to cybersecurity? 

Analytics

Once you have the repository of data, how do you parse it and turn it into some sort of actionable insight? This is the step that often is the most challenging for organizations and program owners, mostly because there are only so many hours in the workday, and when push comes to shove, your attention is often divided and the last thing you want to do is manually generate some sort of spreadsheet or report that is going to be out of date in a week anyway. Ideally, you figure out the most common or malicious activities and work to get early-warning alerts to help prevent them from happening in the first place.

Training

In the current era of technology and cybersecurity, old-school security awareness training isn’t effective. You must do more than “train everyone;” you must also reinforce training to the riskiest cohorts, make learning fun and relevant, and do it more than once a year. If boosting security awareness across your entire organization will increase the resilience of your cybersecurity framework, then imagine what effects training your riskiest members and groups could have. 

What Existing Cybersecurity Frameworks Get Wrong

Why is risk management important in cyber security? Human risk management is key to empowering the kind of behavior changes that greatly increase security. 

The fact that managing human risk is the key to an effective frontline of security isn’t exactly a secret. And yet, so many existing frameworks don’t take human behavior into account — or, if they mention it, it’s second to other cybersecurity programs that potentially only can guard against that remaining twenty or so percent of threats. 

While they have been working towards an updated response to this changing threat landscape, the National Institute of Standards and Technology hasn’t formally updated their Framework for Improving Critical Infrastructure Cybersecurity since 2018. Think of everything that has changed since then! More people use technology than ever before, and the work-from-home revolution has taken over.

Other existing risk management tests — ones with a mandatory, once-a-year training and a quiz at the end — can’t prove that the training has worked just from that one quiz. If you can’t see whether behaviors have changed as a result of the training, then how can you prove that anything is different? Not to mention that those mandatory training sessions are often outdated (and few employees actually want to attend!)

The way things have always been done just isn’t good enough. There is a better way. 

Better Risk Management With Living Security

Living Security believes that cybersecurity human risk management is a better approach to security awareness.  This includes:

  • Aggregating data from your existing security technology platforms – sources you already have and trust.
  • Clear analytics that tell you the risky (and vigilant) behaviors so that you can prioritize actions or make decisions.
  • Effective, targeted actions specific to the type of behaviors and individuals who are most likely to be a risk, and where it will have the most positive impact on your organization's risk.

Living Security’s Unify insights Human Risk Management platform brings these three elements together for a real-time, scalable program for CISOs and Program Owners can effectively step in front of cyber risks and attacks before they become incidents. 

 

Learn more about how Living Security’s Unify insights Human Risk Management platform can help boost your risk management strategy, and make your cybersecurity framework strong, agile, and resilient.