The single greatest neglected area of cyber security is the human element. And I understand why: humans are not easy the way technology components are easy to deploy and configure. But the other side of the coin is a fantastic opportunity to improve security and stop breaches. For instance, helping people to think in terms of red flags such as:
- Urgency and Pressure
- Unsolicited Contact
- Unusual Requests from Known Contacts
- Requests for Sensitive Information
- Spoofed Credentials
- Unexpected Attachments or Links
- Requests to Circumvent Security Protocols
- Inconsistent Details in the Story
- Over-familiarity or Excessive Compliments
- Exploitation of Familiar Brands
- Overuse of Technical Jargon
- Promises of Insider Information
- Unverifiable Contact Methods
- Unusual Time of Communication
Human Risk Management (HRM) is the new term for security awareness training and while I’m normally pretty jaded to things like giving old ideas a new name, I really do prefer HRM. “Security awareness training” conjures the image of a manager struggling to sound sincere when reminding an employee to they haven’t completed a stultifying session of multiple choice answers on the company’s security awareness portal.
Human Risk Management captures several important aspects of this woefully neglected area of cyber security. The most important being the first – this is about humans. And the human element is radically different from every other component of cyber security. Humans are dynamic, subject to emotion, easily bored and distracted, require motivation and they have a spirit that can easily be crushed by the weight of bureaucratic machinery.
HRM efforts must reflect this if they are to provide any return on investment beyond checking a box on compliance questionaries.
HRM that works features:
- Helping users to recognize red flags
- Simulations that engage the user during their daily workflow when they are facing all the distractions and pressures common to today’s work environment’
- Real life examples of attacks on your particular organization
- Demonstrations of how attackers use social engineering to manipulate emotions like fear and curiosity
- Continuous reinforcement
- Variety of formats
- Gamification to boost engagement and retention
- Measurement and adaptation
In this next real training for free session, we will dive into the human side of cyber security. Roger Grimes will be joining me again. I’ve known Roger as a fellow cyber security guy for several decades. We will first show how HRM has a measurable, verifiable improvement on an organization’s cyber security outcomes. Then we’ll discuss what it takes to build an HRM program that provides those results.
We will finish up by demonstrating KnowBe4’s HRM+ platform.