‍PEOPLE

Security behavior change and culture transformation

Before migrating to the cloud during the pandemic, the information security team performed manual awareness and phishing campaigns. But the threat landscape was evolving and their security program needed to innovate and expand along with it.

They needed to not only achieve compliance in a complicated regulatory landscape, but also to better manage their risk with minimal added burden of time or resources. All that, and build up a culture where people come first.

Enter Hoxhunt. The security team found the science-driven approach of behavior change via gamification to be compelling, and the Hoxhunt platform checked all the logistical boxes.

• Language translations for every user group
• Integration with Microsoft O365 and their network environment
• Automation which, with Hoxhunt’s hybrid customer success model, optimized engagement and minimized time and effort on program management
• Personalized learning journeys via AI-powered adaptive learning model
• Compliance with complex regulatory bodies and with worker councils in, for example, privacy-minded Germany
• Integrated threat detection and response platform capabilities

“People are the focus of a security program,” said Manfred W., Information Security Officer. “People are the key factor for everything. With cybersecurity you start by looking at reducing risk and that begins with people. But with Hoxhunt we also have integrated the people, processes, and technology of our security stack. I think that is a unique capability of Hoxhunt.”

Behavior change results were immediate and impressive. With most of their workforce onboarded with the help of the Hoxhunt Customer Success team, the phishing simulation fail rate plummeted within half a dozen phishing simulations, in under 3 months. During that time they were able to map their human risk across the organization with unprecedented visibility. The data reports gave visibility into human risk across the organization, in accordance with local data governance laws. This visibility enabled a tactical, risk-based approach to cybersecurity behavior change and risk reduction.

“We like to take a risk-based, targeted approach to managing human risk by identifying groups of users who are underperforming and helping  them improve with extra support and training,” said Manfred. “The risk landscape might change along with the attack surface or the attack profile of employees, and in our experience Hoxhunt is a practical and dynamic tool that we use to activate our human firewall and to continuously train our people.”

After two years, their behavior change results describe a culture of sustainable resilience. Rates for user engagement, simulated phish reporting, and simulated phishing clicks (typically known as “failure”) are exemplary for a user base of over 9,000 people. Phishing simulation failure rate has fallen all the way down to 2.5% and held steady, despite progressively more challenging phishing simulations. Overall engagement rates have climbed to 89%.

An organization’s resilience score divides engagement by failure rate. It’s a better risk metric than standalone failure rate, which typically ignores actual skill at recognizing and reporting a threat. Resilience scores are especially powerful with Hoxhunt, where phishing simulations are designed to get harder as user skill level increases (this keeps training in the “zone of proximal development”). A strong resilience score is 12 (e.g. a 5% failure rate and a 60% engagement rate). Some companies get up to 20 (e.g. a 3% failure rate and 60% engagement rate). With 2.5% and 89% respective failure and participation rates, the Swiss insurance company has managed an exemplary 35.6 resilience score!

But there’s more to this story than awareness and security behavior change. What do you do, after all, once the skill of recognizing and reporting a threat becomes a reflex? People begin detecting real threats and suspicious emails; thousands of them. That human threat detection capability becomes an invaluable, often untapped resource.

 The Company took an innovative approach, connecting people to the center of the security stack.

PROCESSES

Instant Feedback, Feedback Rules, and human threat detection activate the human firewall

With Hoxhunt, the security team’s strategy of cybersecurity risk reduction was only beginning with behavior change. They  leveraged the Hoxhunt platform’s Instant Feedback, Feedback Rules, and Response Platform solutions to go beyond awareness and augment their detect and respond capabilities.

Or, put another way: people became the strength of their security program. In a world where people are often mischaracterized as the weakest link in the chain of people, processes, and technology, that is a competitive advantage.

Employees were reporting thousands of emails as potential threats; many were real phishing attacks, some were SPAM, and some were just suspicious-but-not-malicious emails or cloud service notifications.

Manfred had an enviable problem: too much threat intelligence.

“What is interesting is not only the gamified training part of Hoxhunt, but also the reporting of real threats and SPAM, and that is what we are focusing on now,” said Manfred. “People are a tool for real threat detection, and that tool became much more useful when we started using the Hoxhunt Instant Feedback and Feedback Rules function.”

Basically, Hoxhunt can automatically analyze and categorize what is being reported into legitimate email, spam, or malicious threats. Using AI technology, Instant Feedback continuously analyzes millions of threats reported across the global network of Hoxhunt users and the platform learns what’s dangerous and what’s not. Then, in real time, Instant Feedback informs the user whether they’ve reported a malicious email, or SPAM, or a legitimate email or notification (in which case they can safely interact with the latter). This saves tremendous time for the security team, and a pop-up message immediately after the user’s reporting action further motivates user reporting behavior.

“We like that with Instant Feedback, it's not after two days (or much longer) that you get feedback. By then you have forgotten what you reported and any learnings have been lost because in the meantime many things have happened. You get it instantly.”

Moreover, with Feedback Rules, Manfred’s team could inform the Hoxhunt threat detection engine of any domains or specific emails that should be allowed or blocked. This reduces SOC analysis time and effort and frees up resources to focus on the real threats.

“Feedback rules improves our effectiveness and improves the use of cloud-based tools.”

TECHNOLOGY

Connecting an activated human firewall with an automated response platform

When he began using Hoxhunt, Manfred wanted to get as much ROI using as few resources as possible. His team needed to gain traction on the road to risk reduction with a limited budget. That’s where Hoxhunt has exceeded expectations.

The Hoxhunt response platform automatically categorizes and prioritizes reported threats. For example, if users report 2,000 of the same threat, that is automatically categorized and elevated to incident response in one package. Or if a threat has been detected from elsewhere across the Hoxhunt human sensor network, it is blocked and deactivated. Every time anyone detects a threat or reports a suspicious message, it makes the whole network smarter, stronger, and safer.

The automated response engine, informed by human threat intelligence, cuts down on the noise in the threat feed and accelerates response and remediation dramatically.

“We in cybersecurity talk about people, processes and technology as separate things, and we know very well the NIST framework and its components of protect, detect, and respond, and those have been traditionally kept in siloes,” said Manfred.

What he wants other CISOs to know is that it is possible to break down the walls between people, processes, and technology. People can be put at the center to level up the whole security system. There is no better way to reduce risk and generate measurable results.

“The most important part that Hoxhunt improves is the people part, and those processes and technologies that cost a lot are almost useless when people are the greatest source of risk,” said Manfred. “Hoxhunt is different from the competition because it integrates the human layer with the technology layer. It connects people, processes, and technology. People must be in the center of everything and with Hoxhunt, the people are in the center and integrated as critical elements of the security tool stack.”