Here’s why measuring employees’ cyber behavioral risk is not optional

It is a more or less known (yet still alarming) fact that human error is the common denominator found in the aftermath of most cyber attacks.

Actually, it is a major contributing cause in 95% of all cybersecurity breaches. This means that 19 out of 20 recorded breaches wouldn’t have occurred if it weren’t for human error, be it due to lack of knowledge, oversight, irresponsibility, or on a whim.

Alarming and encouraging at the same time. By nature, people aren’t looking to cause trouble. Human error is typically a result of oblivious/negligent/arrogant behavior. And behavior can change. Organizations have more power over preventing attacks than most are aware.

And speaking of awareness, that is the key to changing. It’s all about addressing the cyber behavioral risk within the organizloyee be aware of what requires improving. You’ll be able to take control and establish a robust cyber security defense posture, eliminating your largest risk, from within.

You may think that traditional cybersecurity training should do the trick. Unfortunately, that simply doesn’t cut it. Here’s why (and what you should be doing instead).

The problem with traditional cybersecurity awareness training

Regular security awareness training sessions often have serious flaws in their practical execution.

More often than not, they use the one-size-fits-all approach and just throw overwhelming training materials at employees, without providing them with the proper context:  their individual risk to the organization’s entire security.

Most employees simply aren’t aware that at a subjective level they’re jeopardizing the entire organization, in terms of its online and IT sphere, undermining its security and opening its door to malicious actors. Such risky behavior is influenced by cognitive biases that are the result of our brain’s effort to make sense of the complex problems it encounters.

It is these cognitive biases that hackers rely on when deploying carefully designed social engineering and other methods to attack.

The traditional training methods lack two key critical components:

Prioritization

Not all behaviors are equality risky or dangerous. When educating teams with a goal of trying to change their cyber behavior, the critical point of failure is that if everything is considered “mission-critical”, nothing is.  In other words, when training employees about every single general or specific risk, red flag, rule, policy, and proper practice, the risk is getting important lessons lost in delivery (or soon after). 

We are all only human. None of us have the capacity to memorize everything, especially when the things we’re trying to learn don’t feel very relevant to us or what we do.

Personalization

Traditional training methods don’t focus on the individual. Employees often receive cybersecurity awareness training in the form of a generic lesson. This fails to acknowledge that employees are individuals, with differences in personality, cognitive, and behavioral traits that reflect in their cyber security behaviors. The way to impact one person’s behavior is different from another’s. 

An equivalent would be two people with different problems going to the same therapy session with a psychologist. What outcome would be to such a session? Probably better than not treating the issues at all, but far from ideal (not to mention that people going to therapy have already overcome the awareness gap, while employees needing to change their cyber behavior are by nature unaware to begin with).  

Each employee’s behavior needs to be properly evaluated and understood in terms of individual differences, the organization’s cybersecurity chain, and context. The answer to both prioritization and personalization issues, lies in considering personal roles, positions, individual traits, and cyber behavior, and personalizing security training, to tailor it per each employee’s risk.

Measuring and risk scoring from a human centered approach

It all starts with measuring each employee’s cyber behavior.

Traditionally, risk measurements have focused on technical risks, using methods such as vulnerability scans or penetration tests of operating systems, applications, and networks.

Today, the focus has shifted to the human factor, measuring cultural and human vulnerabilities. This means measuring each employees’ knowledge, crucial security behaviors and interactions, against organizational policies.

It’s about assessing more quantitative elements, such as what data the employees handle, and addressing those directly.

Proper behavioral risk score measurement needs to include three key elements:

Predictive data modeling using mathematical and computational methods to create predictive models that calculate what behavior poses the most significant cyber risk (remember what we said about prioritization?). 

This process examines current and historical datasets of employee behavior to make predictions and take remedial measures to prevent future risky behavior before it happens.

Contextual data analysis examining small pockets of information such as the person’s specific resources, role and position, alongside psychological data, enabling meaningful interventions and controls toward changing  risky habits, at a personalized level.

Impact analysis a feedback loop of measuring  and assessing the change in cyber behaviors of employees after these activities have been carried out, and correcting constantly.

Take control of cyber behavior

It is our human nature that allows cyber criminals to get the better of us.

To get (and stay) ahead of these shady characters and minimize your employees’ cybersecurity mistakes, you need to sprinkle some behavioral science and measure the cyber behavioral risk in your organization, in a way that enables you to personalize and prioritize training, at an individual level.

Combining all of the elements of proper behavioral risk scoring – prediction, context, and impact analysis – will help you achieve this goal by helping your employees exactly when and where they need it most with the security communication and policies tailored to their risk.

This is your only way to turn your employees into your defenders and stand a chance against 95% of attacks luring over your head.