How to Reduce Human Risk: Best Practices for Security Teams

Traditionally, we've relied of security awareness and training to keep on top of threats.

But as attacks grow in sophistication, this approach just isn't enough.

This is why cybersecurity teams are adopting 'human risk management'.

Human risk management focuses on outcomes instead of just compliance and quantifies the risk of human behaviors.

In the guide below, we'll cut through the jargon and take a deep dive into this new approach to risk management.

We'll look into the behaviors to watch out for, how to assess risk and all the strategies you need to tangibly reduce human risk across your organization.

‍

First off, let's define human risk

📚 Quick definition: Human cyber risk is a term used to describe the vulnerabilities that arise from human behavior, decisions, and actions that can compromise your organization's security.

Unlike technical vulnerabilities, which can mostly be mitigated with software, human cyber risk is inherently tied to how individuals interact with technology...

Making it much harder to combat.

Today, companies are mostly secure on the technical level. This is no longer the easiest way for criminals to access your company's resources.

To push people to make errors, criminals also tap into employees´ emotions, such as curiosity, carelessness, urgency, and fear.

They know that one employee error could be enough to carry out a successful attack, especially if some technical defenses are also missing.

People’s careless actions or the fact that they are uninformed are the second most likely cause of serious data breaches, right after malware, according to Kapersky.

You can't completely eliminate human risk...

Humans will always be humans and make occasional mistakes.

But you can put strategies in place to measure and significantly reduce this risk.

‍

The role of human behavior in security incidents

For most organizations, human error remains the weakest link in the cybersecurity chain.

Here are some of the ways in which behavior directly impacts security...

Phishing and social engineering

When it comes to human behavior, one of the most significant risks is social engineering attacks.

Cybercriminals exploit human vulnerabilities by crafting deceptive emails, messages, or phone calls to trick individuals into giving away sensitive information or clicking on malicious links.

A single employee's mistake in falling for a phishing scam can lead to significant breaches...

The average cost of a data breach in the U.S. amounts to $9.48 million.

Long gone are the days when it was easy to spot a phishing email.

Nowadays, you really need to stay alert and think critically to spot a difficult attack.

Our latest analysis on why 20% of GitLab’s employees failed the phishing test is a good example of this.

Example: In 2016, FACC, an aerospace parts manufacturer, fell victim to a phishing scam. Cyber attackers, posing as the CEO, instructed an employee to transfer €42 million to a foreign account

Lack of security awareness

Many security incidents occur because employees lack awareness of basic cybersecurity principles.

This could be poor password practices, failing to recognize suspicious activity or not keeping their software updated.

Example: In 2019, Capital One suffered a data breach affecting over 100 million customers. The breach was attributed to a misconfigured web application firewall,

Insider threats

Insider threats (whether intentional or accidental) pose a significant risk.

Employees with legitimate access to sensitive information can misuse that access, either for personal gain - or more often than not, inadvertently through negligence.

An employee might click on a malicious link or download an unauthorized application, introducing vulnerabilities into the system.

Example: In 2019, Desjardins Group, a Canadian financial cooperative, experienced a massive data breach caused by a malicious insider. An employee with legitimate access to the company's data systems stole personal information of 4.2 million members.

Poor password hygiene

Weak passwords and the reuse of passwords across multiple accounts are common behaviors that compromise security.

Attackers can exploit these habits through techniques like brute force attacks or credential stuffing.

Example: The 2017 Equifax breach, which exposed the personal information of 147 million people, was partly due to poor password management practices, including the use of weak, easily guessable passwords.

Why does human risk matter? A quick look at the numbers

• Human error is the main cause of 95% of cyber security breaches.

• The average cost of a data breach was $4.45 million in 2023, the highest average on record.
• 57% of organizations see weekly or daily phishing attempts, and $17,700 is lost every minute due to a phishing attack.
• Cyber fatigue affects around 42% of companies.

• 123456 remains the most popular password in the world, and 45% of people reuse the password of their main email account on other services.
• 53% of users haven’t changed their passwords in the last 12 months.
• 44% of users reported recycling passwords across personal and business-related accounts.

‍

Do companies address human risk in the right way?

Without adequately addressing the human element, no cybersecurity strategy is really complete.

While we have seen that there is an increasing demand to address human risk in organizations, companies often still focus on the wrong things.

What do companies do today to increase their resilience?

• They rely on policies that are impossible to enforce, especially when the employee count is over 1000.
• There’s too much focus on creating awareness. It’s not enough to know that there are threats. Cyber attacks are quickly evolving, and employees won't be prepared without proper training.
• There’s negativity around security. Those that fail could face punishment. This results in the ‘hide-and-seek’ problem. If you don’t know that something happened, you cannot start working to fix the issue.
• Security awareness training programs are often lacking in practice. There’s a difference between knowing what to do in theory and being able to do it in real life.

To build genuine resilience, changing the behavior of users is a must.

People must be trained properly to acquire the skills to take the right action.

A lot of companies fail to address the necessity of a security culture where security teams and people cooperate so that assets can remain safe.

Common risky behaviors to be aware of

Password mismanagement

Passwords are the first line of defense in protecting your organization... but are often mishandled.

Common issues include:

• Weak passwords: Using simple, easily guessable passwords like "password."
• Password reuse: Using the same password across multiple sites, which can lead to widespread compromise if one site is breached.
• Failure to update passwords: Not regularly changing passwords or updating default passwords provided by systems.

Neglecting software updates

Ignoring or delaying software updates is a common behavior that leaves systems open to potential threats:

• Outdated software: Failing to install updates and patches, which can contain critical security fixes.
• Ignoring security warnings: Dismissing alerts or reminders about necessary updates or potential security issues.

Unsafe browsing habits

Browsing the internet without caution can lead to cyber attacks:

• Visiting malicious websites: Accessing sites that are known for distributing malware or engaging in phishing.
• Downloading unverified software: Installing software or applications from untrusted sources, which may contain harmful code.

Inadequate data handling

Improper management of sensitive data can result in significant security incidents:

• Unencrypted data storage: Storing sensitive information in plaintext without encryption.
• Improper data disposal: Failing to securely erase data from devices before disposal or recycling.

Plugging in unverified devices

Using external devices without verification can lead to potential threats:

• USB drives: Inserting unknown USB drives into computers can introduce malware.
• Charging stations: Using public charging stations without caution, which may be compromised to steal data (a practice known as "juice jacking").

Lack of security awareness/ strong security culture

A general lack of cybersecurity awareness and training contributes to many of these risky behaviors:

• Ignoring security protocols: Not adhering to established security policies and guidelines.
• Complacency: Assuming that cybersecurity is solely the responsibility of IT departments.

How to assess your human risk

Before fleshing out your human risk management strategies, you'll need to gauge where you're currently at with a comprehensive risk assessment

To assess your organization’s human cyber risk, you can begin by identifying vulnerabilities related to employee behaviors, knowledge gaps, and compliance with security policies.

Conduct a security awareness survey

A cybersecurity awareness survey can give you some basic insights into the current level of understanding and practices among employees.

• Knowledge assessment: Evaluate employees' knowledge of basic cybersecurity principles, such as recognizing phishing emails, password management, and data protection practices.
• Behavior analysis: Identify common risky behaviors, such as using personal devices for work purposes, downloading unverified software, or ignoring software updates.
• Perception of risk: Gauge how seriously employees take cybersecurity threats and their perceived importance of adhering to security protocols.

Perform phishing simulations

Simulated phishing attacks can help you understand how susceptible your employees are to phishing by testing them with realistic attacks.

• Email phishing tests: Send controlled phishing emails to employees and track the response rates - who clicks on the links, who reports the email, and who ignores it.
• Training response: Use the results to provide targeted training for employees who fall for the simulations.

Analyze password practices

Assessing how employees manage their passwords is crucial for identifying vulnerabilities.

• Password audits: Review the strength of passwords being used across your organization and check for instances of password reuse.
• Password policies: Ensure that strong password policies are in place and that employees are encouraged to use password managers.

Review software update compliance

Evaluate how well your organization keeps its software and systems up to date.

• Patch management: Check the status of software updates and patches across all devices and systems.
• Employee adherence: Determine whether employees are regularly updating their devices and applications or if there are gaps that need addressing.

Assess data handling practices

Examine how sensitive information is managed within your organization.

• Data encryption: Verify that sensitive data is being encrypted both in transit and at rest.
• Data disposal procedures: Check that proper procedures are in place for securely erasing data from devices that are being decommissioned or recycled.
• Access controls: Ensure that access to sensitive information is restricted to authorized personnel only and that role-based access controls are effectively implemented.

Conduct regular security training

Regular training sessions are essential for maintaining a high level of cybersecurity awareness.

If training isn't frequent enough, it's unlikely to work.

• Training frequency: Evaluate how often employees receive cybersecurity training and whether it covers the latest threats and best practices.
• Training effectiveness: Measure the effectiveness of these training sessions through follow-up assessments and practical exercises/simulations.

Establish a reporting mechanism

Create a clear and simple process for employees to report suspicious activities or potential security incidents.

• Incident reporting system: Ensure there is a user-friendly system in place for reporting incidents.
• Encourage reporting: Make sure employees feel comfortable reporting security concerns without fear of repercussions.

Quantifying human cyber risk: what metrics should you measure?

Below are some of the metrics you can look at to quantify your human risk levels.

Phishing and social engineering

• Phishing susceptibility rate: Percentage of employees who fall for simulated phishing attacks.
• Reporting rate: Percentage of employees who report phishing emails.
• Response time: Average time taken to report a phishing attempt.

Password management

• Password strength score: Average strength of passwords used by employees, assessed using a scoring system that considers length, complexity, and uniqueness.
• Password change frequency: Average time between password changes across the organization.
• Password reuse rate: Percentage of employees reusing passwords across multiple systems.

Software updates

• Patch compliance rate: Percentage of systems and applications that are up-to-date with the latest security patches.
• Average patch time: Average time taken to apply critical security patches after their release.

Data handling practices

• Encryption usage rate: Percentage of sensitive data that is encrypted both in transit and at rest.
• Data disposal compliance: Percentage of devices that follow secure data disposal procedures.
• Access control violations: Number of incidents where unauthorized access to sensitive data is detected.

Regular assessments

Regularly assess these metrics to monitor the effectiveness of your cybersecurity measures and identify trends over time.

• Surveys and questionnaires: Periodically survey employees to gauge their cybersecurity awareness and behaviors.
• Simulations: Conduct regular phishing simulations, password audits, and other tests to evaluate real-world behaviors.
• Automated monitoring: Use security tools to continuously monitor and report on compliance with security policies and practices.

‍

Best practices for reducing human risk

Ensure your security training is actually effective

If you want to measurably change behavior, your training needs to be effective.

Unfortunately, not all training was created equal...

Some solutions will directly impact outcomes and some won't.

Here are a few core features of training that works:

Regular training sessions: To have any real impact on behavior, training needs to be continuous and frequent. If you're shopping around for a new vendor, keep an eye out for the quantity of phishing simulations they offer.

Personalised, role-specific training: Training isn't a one-size-fits-all solution. Make sure content is being adapted to each employee's role, location and cyber knowledge level.

Engaging content: Training should be short, interactive and ideally integrated into employees' workflow so that their day-to-day work isn't disrupted.

Positive reinforcement: Rewarding employees for positive behavior is essential for moving the needle on human risk. When employees are rewarded for reporting simulated attacks, they'll be more likely to report real threats that may pop up in the future.

Foster a security-conscious culture

Creating a company culture for security will significantly reduce human risk over time.

Prioritizing a positive security culture will build resilience and empower employees to help protect your organization.

Here are the basic components of a strong security culture:

Leadership commitment: Ensure that leadership demonstrates a commitment to cybersecurity, setting an example for the rest of the organization.

Open communication: Encourage open communication about security issues and make it easy for employees to report suspicious activities without fear of repercussions.

Recognition and rewards: Recognize and reward employees who demonstrate positive security practices.

Develop concrete security policies

Clear and enforceable policies are needed to put your human risk management strategy into action.

Password policies: Implement strong password policies that require complex passwords, regular changes, and the use of password managers.

Data handling policies: Establish guidelines for the proper handling, storage, and disposal of sensitive information.

Device usage policies: Define acceptable use of personal and company devices, including BYOD (bring your own device) guidelines.

Use security tools to reinforce your policies

Leveraging security tools can help support your efforts and automate manual work.

Multi-factor authentication (MFA): Require MFA for accessing sensitive systems and data to add an extra layer of security.

Email filtering and anti-phishing tools: Use email filtering solutions and anti-phishing tools to reduce the likelihood of successful phishing attacks.

Endpoint security: Ensure all devices have up-to-date antivirus and anti-malware software installed.

Data encryption: Encrypt sensitive data both in transit and at rest to protect it from unauthorized access.

Monitor and analyze security incidents

Continuous monitoring and analysis will help your security team quickly identify and respond to threats.

Security information and event management (SIEM): Implement SIEM solutions to collect, analyze, and respond to security events in real-time.

Incident response plans: Develop and regularly update incident response plans to ensure a swift and effective response to security incidents.

Root cause analysis: After an incident, conduct a thorough root cause analysis to understand what went wrong and how to prevent future occurrences.

Encourage good cyber hygiene practices

Promote everyday practices that contribute to better security.

Regular software updates: Ensure all software and systems are regularly updated and patched to protect against known vulnerabilities.

Secure browsing practices: Educate employees about secure browsing habits and the risks of downloading software from untrusted sources.

Physical security: Emphasize the importance of physical security measures, such as locking screens when away from desks and securing sensitive documents.

Establish clear reporting mechanisms

Make it easy for employees to report security concerns and incidents.

Anonymous reporting: Provide a way for employees to report security concerns anonymously if they prefer.

Clear procedures: Establish clear procedures for reporting incidents and ensure all employees are familiar with them.

Quick response: Ensure that reports are quickly acted upon and that there is a feedback loop to keep employees informed about the resolution of their reports.

‍

How to get the most of out of your phishing simulations

Whilst there are a few ways you can measure human risk, simulations will give you a direct insight into how employees would respond to the latest real-world attacks.

The Aberdeen Group found that companies with simulation training in place experience a 50% decrease in successful phishing attacks.

Below are some of the ways in which you can optimize your phishing simulations:

Ensure simulations are up-to-date

The cybersecurity landscape is constantly evolving.

Every year new types of attacks are emerging...

And they're only growing more sophisticated and harder to spot.

So, make sure your simulations include the latest threats so that you don't get caught out.

Psst... Hoxhunt helps you stay on the cutting edge of the constantly evolving threat landscape - our global threat intel team turns real phish into powerful phishing simulations.

Use simulations to build personalized learning paths

Positive reinforcement and reward systems forge strong security cultures.

If an employee keeps failing simulation exercises, you might need to take a step back and send out easier attacks for them to spot.

Once they start to feel confident and motivated again, you can then slowly increase the difficulty of attacks. 

Watch out for missed simulations

When companies first begin with Hoxhunt, they'll usually have:

• A failure rate of 25%

• A success rate of 4%

• And the rest are missed.

Missed simulations are a significant unknown when it comes human risks.

Most traditional, failure-focused training programs may spin this as a positive...

But a high miss rates generally means a higher risk of breaches.

We'd recommend that you track these 5 metrics too:

• Miss rate: The phishing simulations that they neglect for whatever reason.
• Success rate: The phishing simulations that are correctly reported
• Real threat reporting: The number of real phishing attacks- per-user that get reported
• Engagement rate: the proportion of the organization who are enrolled and participating

Reduce human cyber risk with Hoxhunt

Hoxhunt gives you individualized phishing training, automated security awareness training and advanced behavior change - all in one human risk management platform. 

Quantify your risk score: Our Cyber risk dashboard benchmarks your security program against other organizations.

Strengthen your security culture: Create a fun, rewarding experience that builds a culture of long-term engagement and dramatically improves security resilience.

Train users with instant, bite-sized lessons: deliver quick, in-the-moment micro-trainings that affirm good behavior and transform failures into fun and engaging learning opportunities.

Measurably change behavior: Change employees’ behavior with a solution that automatically optimizes training to their location, role and skill level.

‍

How to reduce human risk FAQ

How important is organizational security culture in reducing human cyber risk?

Organizational security culture is crucial in reducing human cyber risk. A strong security culture ensures that all employees, from decision makers to frontline staff, prioritize cybersecurity.

This culture can be cultivated through consistent communication, leadership commitment, and recognition of good security practices.

How can cybersecurity training be tailored to address specific human cyber risk factors?

Cybersecurity training can be tailored by using risk assessment data to identify specific human cyber risk factors within the organization.

Training content should be customized to address these factors, with a focus on high-risk groups and behaviors.

What tools can be used to monitor and analyze user-focused cyber risks?

Tools like Google Workspace and other collaboration platforms can be used to monitor user activities and identify potential cybersecurity threats.

Security information and event management (SIEM) systems, endpoint security solutions, and behavior analytics tools provide insights into risky user behavior and help in making informed decisions about resource allocation and corrective actions.

What are the benefits of using a cyber risk scoring system?

A cyber risk scoring system helps organizations quantify and prioritize risks based on their likelihood and potential impact.

This allows for optimal resource allocation and strategic action to mitigate the most significant risks.