As the curtains close on our recent webinar series, "The Human Element: The Science Behind Influencing Security Behaviors," it's time to reflect on the wealth of knowledge that has been shared.
I had the chance to be one of the hosts of this series, welcoming an all-star roster of cybersecurity thought leaders like Jessica Barker and Dominick Frazier (Mr. Security Awareness), who offered practical strategies for mitigating risks and fostering a security-centric culture within organizations.
Let’s recap the four sessions and distill the key insights gained from our in-depth exploration of human behavior in reducing cybersecurity risk. If you have missed any of the webinars, you will also find the recordings below!
Session #1: Removing Friction to Change Behavior
In our inaugural session, Sarah Aalborg, Chief Information Security Officer at Tivoli, and I dissected the impact of friction on human decision-making and the importance of reducing obstacles hindering secure behaviors.
Ultimately, human risks in cybersecurity are driven by behaviors: the risky behaviors people take, and the secure ones they don't.
Our subconscious minds have been hardwired through thousands of years of evolution to choose the path of least resistance and avoid friction, which is often what leads us to take risky behaviors.
Before we can begin to design security training that reduces human risk, security teams must identify the obstacles that hinder secure behaviors. Sarah defined the 5 most common categories of friction:
- Process – are the processes to behave in secure ways intuitive and simple to comply with?
- Organization – is it clear who has responsibility for taking certain actions?
- Culture – is there social acceptance of the desired behavior? Are employees motivated toward this desired behavior?
- Equipment – do employee have what they need to behave in secure ways?
- Target group – are there specific employee groups that might have different factors?
It's key that security awareness managers - and security teams in general - analyse the behaviours they want to create or hinder in regards of these categories at their organization. Only then can they begin designing solutions with less (or more) friction to guide employees to take the most secure path.
Sarah compared the process of designing security paths similar to curling in that way. Once the curling stone is released, the sweeper uses the tools they have to add or remove friction along the path that they want the stone to take, on its way to the target.
Security awareness managers can use different tools to add or remove frictions that move individuals along the path to desired safe behaviors.
Watch the full session here:
Session #2: Security Culture Eats Human Risk for Breakfast
In a dynamic panel discussion featuring Dominick Frazier, Jessica Barker, and myself, we delved into the relationship between an organization’s security culture and its human risk.
Drawing from our collective expertise, we all underscored the pivotal role of a robust security culture in awareness training participation and recognizing and reporting real threats, especially in global organizations like H&M.
Jessica highlighted how different organizational priorities and expectations can have a big effect on what kind of security behaviors an organization might see. For example, some employees may fear clicking any links in any email, which is a negative result of a culture where phishing simulations are seen as a trick rather than helpful training.
As the Head of Security Education & Awareness at Meta, Dominick’s talking points related to how a robust security culture can be seen as an important strategic business advantage at a large, public company.
Showing ROI in security awareness for Dominick largely comes from assessing the costs of previous security incidents and estimating how much reducing these incidents would save the company. Speeding up the time to respond to an incident is a key metric to prioritize here, and having a security culture where employees feel bought in and personally responsible for an organization’s security can really help reduce that time and save the company millions.
Together, we attempted to define the components of security culture, which are knowledge, attitudes and behaviors at a high-level. But many sub-components enter the picture, such as psychological safety and transparency.
By fostering an environment of open communication, personal ownership, and continuous learning, organizations can cultivate a security-centric ethos that increases the effectiveness of awareness training to protect the company against human-based threats.
Watch the full session here:
Session #3: 10 Steps to Award-Winning SAT Metrics
In the next session, David Badanes (Director of Cybersecurity) and Ryan Boulais (CISO) from The AES Corporation sat down with Eliot Baker from Hoxhunt to provide a blueprint on how to use the right metrics to achieve award-winning security behavior change results.
The duo presented a first-hand account of AES's journey from low engagement with legacy vendors to stellar reporting rates with Hoxhunt, all cumulating in recognition at the prestigious CSO50 conference in October 2023.
From a meticulous program roll-out and execution to embedding security into corporate culture, AES implemented a series of initiatives driven by SAT metrics:
- Onboarding rate: they went location-by-location to secure buy-in from managers and employees during the pandemic to enroll all computer-using employees into the security training program.
- Engagement rate: They moved their engagement rates from 10% with their compliance-based SAT tools, to over 65% with Hoxhunt in a matter of months.
- Threat reporting: They prize this metric above all when communicating risk reduction and behavior change to management.
- Resilience rate: A dashboard metric to capture overall risk posture: Reporting rate divided by failure rate. Their RR soared by 30X within one year.
- Proverbial water cooler rate : Going partly beyond metrics, the positive feedback for the program has been transformational on AES culture, as supported by company newsletter open rates that skew the data so highly that the comms team needs to separate the cyber news from everything else.
They achieved buy-in from employees as well as top management, to the point that top cybersecurity training performers are rewarded with a quarterly bonus and recognition in a popular company newsletter.
Their success story serves as a testament to the effectiveness of combining hard metrics with the human touch in driving behavioral change and cultural transformation.
Watch the full session here:
Session #4: The Building Blocks for Behavior-Based Training
In our final session, I had the pleasure of showcasing groundbreaking advancements in behavior-based training technology alongside Ilmari Kontulainen, Hoxhunt's Senior Product Manager.
Hoxhunt’s Human Risk Management framework really focuses on the process of building and executing a plan to reduce human risk. Put simply, it starts by identifying and evaluating human risks, then designing and deploying interventions to address those risks, and finally, measuring and communicating the impact of those interventions.
Identifying the sources of your human risk can be the trickiest part of the process. Typically, you’ll want to conduct an initial diagnosis of your security culture, including your colleagues' knowledge of secure behaviors, their attitudes toward cybersecurity initiatives, and most importantly, their actual behaviors. You can collect data on these areas from quizzes, surveys, your phishing simulation tool, and other third-party security tools (EDR, CASB, Defender…).
From there, these interventions should be designed to be positive, targeted, timely, and contextual. Based on decades of behavioral science research, security programs modeled in this way can maximize employee motivation and engagement. But not all initiatives should target motivation, as no amount of motivation can reliably influence behaviours: we also need to remember to make security easy.
The last step is important: measuring your impact, and sharing these metrics and stories with various stakeholders, from employees to top management. Reporting updates on risk reduction impact to top management will emphasize the importance of cybersecurity initiatives to secure more buy-in and help influence the rest of the company from the top down.
Additionally, employees want to know that their effort is contributing to the success of the company. Providing feedback and telling stories that emphasize the impact they have on the company’s security profile helps establish personal ownership and responsibility to help out, whether that be by completing a training or reporting a suspicious email.
By harnessing AI-driven insights and personalized feedback mechanisms, Hoxhunt helps organizations tailor training to individual learning needs by delivering relevant training moments when specific behaviors are triggered. This will enhance employees' cybersecurity skills and foster a culture of continuous learning.
Watch the full session here:
Changing security behaviors with Hoxhunt
In conclusion, the 4-part webinar series illustrated that the interplay between human behavior and cybersecurity resilience is complex, but that we have solutions for managing this challenge today. With 80% of breaches involving the human element, we must embrace the science behind influencing security behaviors, backed by solid data-driven approaches.
I hope you found these webinar series as insightful and inspiring as we did at Hoxhunt. Now let’s bring back these learnings into our organisations to significantly reduce the human risk in cybersecurity.