Blogs How to Measure the Human ...
February 20, 2023
A company device is left unattended while its owner gets up to grab his coffee from the bar.
A simple password is used across multiple accounts and multiple services.
A link from a spoofed company email, clicked by an uninformed, well-intended employee.
Human risk is everywhere, and it isn’t always easy to see. While humans are a company’s best asset, they can also be its greatest source of risk. Being able to identify and measure the human factor is crucial to building a robust cybersecurity framework, one that is better poised to adapt to threats and prevent risks before they become incidents. To do all this, an organization must understand the human factor in cybersecurity, how to measure it, and what to do with that data.
Human risk is everywhere, from personal and individual risk to risk that affects companies of all sizes. It’s defined as the risks caused by human behavior, and it’s not limited to tech companies or any particular sector. Any business that has humans in it has a human risk because humans make errors. So, unless you’re reading this from an all-robot company full of flawless beings, this will probably apply to you.
When it comes to the human element of cybersecurity, understanding what role human risk has can help information security leaders to recognize what human-driven threats might be on the horizon. Human risk may be anything from choosing an insecure or easily-guessed password, clicking on a link in a phishing email, or forwarding sensitive company data to an outside source by accident. And while employees may know that they need to secure or lock their devices while unattended, or perform certain authentication checks, they might skip them just this once. All it takes is once, though.
In their 2022 Data Breach Investigations Report, Verizon found that 82% of breaches involved the human element. In order to prevent human risks from becoming incidents, employee behavior not only needs to be evaluated, but it also needs to change. Developing a human cyber risk evaluation model for your company is the most effective way to change this statistic for your own organization.
Human risk management is relevant across the entire organization, in every department, and at every level of the employee ladder.
All of these scenarios are avoidable if employees properly understood the risk involved, and if proactive, relevant security awareness training and preventative measures had been put into place to help them recognize and avoid these risks.
Simple human errors can cause all kinds of problems. Some examples of human risk include:
In order to measure the human factor of employees, a baseline must first be set. After all, to know where you’re going, you have to know where your starting point is. This baseline can be set by evaluating existing metrics, sending out surveys to encourage honest feedback, and researching what the most common issues have been.
It’s important to listen to what the IT team has experienced, but often, teams across the organization and outside of the IT team can provide key insight into what common cybersecurity issues in a specific company are. Maybe there are issues they’re experiencing, problems they can’t seem to resolve, or protocols they’re unclear about when it comes to cybersecurity best practices. This is step one in Human Risk Management.
Gathering data about employee behaviors is critical, too, but that can be trickier to aggregate. As they say, actions speak louder than words, and while the feedback across the organization is important, finding out what different users and groups are actually doing (or not doing) is vital. Human behavior is central to the concept of risk management in cybersecurity. Without appropriate solutions, however, effectively monitoring employee behaviors can be tricky.
Change starts with data, and knowing how to source it, analyze it, and respond to it has the potential to change human risk into human action. Living Security’s Unify solution gathers user data across organizations in order to analyze individuals, assigning them a risk score based on their past behaviors. It makes this process seamless and easier to target specific training solutions to the users who need it most, based on their behaviors.
Once you have your data, what do you do with it? Unify Insights Action Plans can be used to develop security programs that will work for the needs of a specific organization, group, or individual. Now, you can see that one department is clicking on phishing links, or that a specific remote user is experiencing repeated failed login attempts.
You can then deploy specific training or tools to these specific users or teams, making it timely and relevant to your riskiest users. Once the training is complete, you can then measure whether that training has been effective at changing risky behavior.
At Living Security, we’re champions of the idea that human risk management is the future of cybersecurity. Human risk represents the greatest threat to an organization’s cybersecurity, but it can also be an organization’s greatest strength. To learn more about how Living Security Unify can help increase cybersecurity awareness across your organization and change behaviors, learn more by requesting a demo today.