The award-winning, cross-functional AES team: Rodrigo Garcia, Manager of Cyber Threat Management; Angie Wyatt, Director, Global Digital Workplace Experience & Collaborations; Ryan Boulais, CISO; David Badanes, Director of Cybersecurity Strategic Initiatives.
Step 1. Begin the journey. Drop the SAT tools. Adopt the security behavior and culture change model.
It’s not a compliance exercise. With at least three quarters of breaches starting with the human element, changing the way people behave online is a business imperative. Security awareness training does this when the program touches everyone and embeds fundamental cybersecurity habits from the board room to the mail room, transforming culture.
AES realized that the security awareness training (SAT) model they’d been using was designed to check a box, not win hearts and minds. They sought to measurably change people’s email behavior and lower the company’s human cyber risk.
So they set off on their journey. AES recognized that their awareness results had stagnated with multiple SAT tools and for multiple reasons, including:
- Non-interactive, one-way, quiz-based educational model
- Skills were not being built or behavior altered against real phishing attacks
- Manual creation and operation of phishing and awareness campaigns, and translation of phishing messages, was resource-intensive
- The phishing and awareness metrics were questionable
- Participation rates were stagnant
AES tested Hoxhunt against other SAT tools, and saw that their winding 5-year awareness journey was about to straighten out.
"When I think about human risk management and where we started with what we were doing from a training and awareness perspective, it really was a journey. I think we started with one or two different partners beforehand, but that was more of a, I don’t want to say boring, but like a traditional model that felt like a compliance exercise and, you know, not a whole lot of true engagement." – Ryan Boulais, CISO
Step 2. Create a strong onboarding program
A security training program's launch and rollout will largely determine its success. AES connected with key stakeholders across the organization before launching their new program to ensure maximum enrolment. This meant breaking down the silos surrounding cybersecurity, and building bridges to multiple business units.
“The key is just driving engagement. We wanted our people to have a platform that our employees really enjoyed using, so we focused really strongly on onboarding. We actually went to almost a site-by-site or location-by-location approach to get as many people as possible onboarded onto the platform. And then what we wanted to do was to get the rate at which our people reported messages to be as high as possible compared to the ones that were missed. And we would think about that as a resilience metric.” – David Badanes, Director of Strategic Cybersecurity Initiatives
Note on AES's meaningful metrics and the resilience ratio. Tracking and communicating the right metrics is crucial to its success. When reporting to the board, AES uses the resilience ratio, which is a handy dashboard metric that contextualizes human cyber-risk within behavior, skill and engagement. Simply divide the overall phishing simulation reporting rate by the failure rate. Resilience ratio is a much better depiction of true risk than isolated failure rate. Mind your misses and focus on success because a miss today is a phish tomorrow; and a failure-based approach is doomed to failure.
Step 3. Target engagement and email behavior
Phishing is the biggest risk for breaches. But the behavior that leads to a phishing breach can be measured and corrected. So start there!
Research like that of Stanford's BJ Fogg shows that behavior change starts with engagement and repeated practice. The act of recognizing and reporting phishing simulations is a behavior that can be conditioned with the repeated, realistic practice of spotting telltales of social engineering attacks and reporting them with a simple and rewarding process.
In fact, the most tell-tale sign of human cyber-risk is disengagement, not phishing simulation failure rate. If people aren’t engaged and actively reporting threats, they aren’t learning. So begin conditioning cyber-positive behavior at the biggest, and most easily correctable, point of risk: email.
“Prior to working with Hoxhunt and putting the model in process that we have in place today, only about 10% of our employees that worked with computers on a regular basis were actually reporting phish during our simulations. Post implementation of Hoxhunt, we’re somewhere between 65 and 70% of the company, which is really entitlement. That’s roughly the size of the population that uses a computer on a day-to-day basis. Just getting that type of increase in engagement is a win.” – Ryan Boulais
“I think the adoption numbers show that people love it. I personally got one this morning and I love it. I love winning.” – Angie Wyatt, Director, Global Digital Workplace Experience & Collaborations
Step 4. Target user experience with relevant, high quality phishing simulations
Meet people where they’re at to bring them where they need to be. Cybersecurity is a scary, complex topic. Training needs to be fun and tailored to the individual. Keep security lessons, phishing simulations and their micro-training add-ons short, sweet, and relevant. They should reflect the types of phishing attacks making the rounds, and they should be relevant to the user’s work, skill-level, and background.
Resilient behavior doesn’t stop at training. The important thing is how people react to the real thing. Make sure it’s easy and rewarding for people to report a real suspicious email with the same button as they use for phishing simulations. The Instant Feedback feature tells them in real time whether it was a phish or not, and issues a gamified reward. It’s a real kick when you learn a new skill that is protecting yourself and your company.
“What I love most about Hoxhunt is the reality of the cases that come through. And people will call and say, I got one. You’ll never guess what this one was. And they’re just amazed by the creativity and the realness of it. And then they feel smarter because they’ve identified it and turned it in.” – Angie Wyatt
Step 5. Try gamified phishing training
Gamified training should be fun and motivating but gamification is not all about, well, fun and games. Gamification is a scientifically validated model for conditioning desired behavior by rewarding people for taking specific actions to specific cues. Eventually, cybersecurity behavior becomes a matter of instinct and habit. The Hoxhunt training platform automatically rewards users' progress with stars and skills-badges. AES made sure that top performers are displayed on leaderboards and celebrated in company communications to foster a culture of cyber role models.
“Doing the gamification has now put the users in the driver’s seat. They have become cyber role models, so they’re more inclined to report phishing emails to us than they were in the past.” – Rodrigo Garcia
“The gamification and the involvement of making people feel they’re part of this program, not being something that they’re forced to do, it’s something that they’re able to do: people are more comfortable hitting that button. When in doubt, hit the button, submit it to Hoxhunt.” – Angie Wyatt
Step 6. Secure leadership buy-in and create an incentive system
Change management works best when leadership is all-in. Make sure that leadership understands the value of your program, and get them active in it. It’ll open up the conversations and budget you need to get the whole company participating.
The AES leadership literally bought in to the program with a structured incentive system around employee training performance.
“We had some very good conversations with our executive leadership team before (launching the program). And one of the things that we put in place is as the gamification piece plays out, if you’re in the top ten of earning stars for the quarter, then everyone can see what that looks like on a dashboard. And we increase your bonus at the end of the year as a result of that.” – Ryan Boulais
Step 7. Message yourselves as a business-enabler
When everyone sees security as a business enabler, they come to see security culture as a shared responsibility.
“I like us being referred to as Dr. How rather than Dr. No. I think this is really a way to help facilitate other conversations from a cybersecurity program and the other things that we're doing and other ways that we are enabling the company, whether it's in cloud, whether it's in operations, on the renewable side… Those conversations are easier to have because people are more aware of what we have to offer from a cybersecurity or global cybersecurity team.” – Ryan Boulais
Step 8. Build a cross-functional program team
Get people who involved who can help maximize engagement by improving user experience and optimizing messaging and communications.
AES got their C-suite on board, and went around the company to secure buy-in to the program. Some companies might also join, for example, HR and communications with their awareness program.
“Using that human risk management model, we put a program behind it. So we partnered with our teams across digital, across communication, across change management, and across our cyber teams, of course, to really do a whole of company approach to solving cyber awareness. And using ‘all together' as our model there, we were very intentional on the way that we rolled it out, engaging with the key business partners to really make this core to what we’re doing and to make, frankly, cybersecurity and safety as our first value.” – David Badanes
Step 9. Automate operations and focus on what matters most
AI and automation are cybersecurity buzz words that some vendors take major liberties in interpreting. But with an AI-enabled human risk management platform at their disposal, AES was able to measurably automate their program--from operations to reporting to incident response--in terms of hours saved against training and incident response automation delivered.
“We were looking for something that could frankly free up some of our time to work on more pertinent issues, but also to create a culture of cybersecurity. And that’s what Hoxhunt helped us do.” David Badanes
Step 10. Focus on real threat detection
This is step 10, but it could be step 0. The ideal outcome of a phishing attack is a threat report. It removes the danger from the system and alerts security so they can scurry an accelerated incident response. The whole reason for a security training program is to give people the skills and confidence to do the right things in tough situations. Make sure the program's ultimate focus is on threat reporting behavior change in the training; and that you have in place automated systems and processes for responding to the deluge in real threat reports that will come as a result of that behavioral and cultural transformation.
“The reported real phish coming in and the reporting through Hoxhunt is an area that we’ve seen lots more engagement because people are more aware now and they realize that, hey, it’s more important to to report than not.” Ryan Boulais
AES saw a huge surge in their threat feed, and realized that cultural transformation had occurred. They made that threat intelligence actionable, at scale, via the Hoxhunt Response platform. It automatically orchestrates the threat feed data so that the SOC team can prioritize real incidents. This has greatly accelerated their response times and augmented the quality of their work.
“Hoxhunt has reduced our workload by having the escalations come to my team when the response module gives us actionable incidents versus looking at all the phishing that comes through and trying to figure out the one we need to go look after. We don’t have to look through every single phishing email that gets reported. We can focus on the ones are actionable and prioritize those and also take care of the campaigns that come in because Hoxhunt automatically loops them together.” – Rodrigo Garcia