Addressing human risk in your cybersecurity strategy
November 15, 2023 | By: Dr. James Norrie
Human Defense Platform – Distinguishing Ourselves From the Competition
Everyone in our business is now talking about Human Risk Management anywhere you look. Around here, we say it’s about time! Because we’ve been talking about and innovating on this topic for years…
We all know one important fact: a majority of successful cybersecurity breaches involve humans and how they use technology. By exploiting a wide range of human behaviors: error; inattention; misintention; lack of action; distractibility; manipulation, or outright extortion, cybercriminals can quickly gain the access or data they desire. While some breaches may be intentional, as in the case of fraud – others may occur from a loyal but vulnerable accidental insider. What more proof of all this do we need than the 2022 Verizon Breach report showing it tracked over 70% of successful breaches to a human factor?
And that is where our patented Human Defense Platform can help. We help you manage human factors risk better than any other method. Let’s find out why.
What Makes cyberconIQ THE Choice to Manage Human Risk?
As our chief product evangelist, I am asked what makes our approach to managing human risk so different? That is a valid question. My first answer lies in us being the ONLY patented security solution in the world to incorporate trait-based personality theory as the basis for understanding the online behavior of humans. We operate at the intersection of psychology and technology in a unique way that delivers proven results. Our platform uses a simple questionnaire to categorize users. This, in turn, helps them to understand their unique personalities and explain consistent patterns of thinking, feeling, and behaving while online.
We use this as a basis for everything else that follows, educating and remediating behavior by inspiring a voluntary change in action that embeds a security 1st culture® across your entire organization. We dramatically improve your security posture and lower breach risk to benchmark levels by making employees independently competent at security. Our laddered, layered, and personalized approach helps with review, recall, and strategic repetition over time to measurably improve their security awareness.
What Do Competitors Offer that Is Different?
Most competitors provide basic security training that is generic, memorization-focused, and, let’s face it, unengaging. We offer a “learning by doing” approach, though, because simply knowing is not applying. Just because we know that something is good for us does not mean we will consistently apply it – just ask anyone who has a New Year’s Eve resolution!
By not incorporating even the most basic elements of known behavioral science, legacy security training vendors do not solve the fundamental problems of human factor security risk. They only put a check in the box for delivering training. But does that change behavior? Of course not! If you don’t take personality into consideration, you train everybody the same way on the same risks. Since we don’t all behave and learn the same, the best we can do is accumulate facts. Perfect, we can define phishing, but not avoid it. However, our context-sensitive platform ties back to each user’s individual style and competence and motivates a change in behavior that lowers vulnerability to attack.
To claim they can do the same thing, some competitors focus on pedagogy with offerings like “just in time” training or “micro-lessons”. Just-in-time training is tied to detecting behavior that may possibly be risky. While perhaps interesting and seemingly timely, what if a risky user never triggers the indicator needed to get their training, and ends up being the unfortunate source of your risk? The danger here is that we often assume there are behavioral triggers to online risk that will be consistently presented before the danger occurs – our research indicates not.
And “micro-lessons” may sound efficient, but training that is too short may not actually deliver a sufficient base of knowledge to ever change behavior. These both lead to misplaced comfort that less training time, but delivered just in time, will improve global security outcomes over time. But it can’t, right?
This brings us to the application of another domain of behavioral science to security training, which is predictive analytics. There are lots of vendors exploring this space. But predictive analytics relies on big data, statistical algorithms, and embedded machine learning to make predictions – all of which are outputs from existing user behavior. To be even mildly reliable and insightful, you need a significant volume of distinct data sets from multiple angles to statistically model existing online behavior. If you have access to that rich data, predictive analytics could be a part of your security repertoire. But it cannot be the only method you use, or else you risk unpredictable behavior hurting you.
Why? This method will not predict previously unknown or unlikely behavior and cannot tie behavior to likely triggers. That is why we focus on trait-based personality theory which is rooted in theoretical frameworks that easily categorize and describe personality traits that shape and influence behavior before it occurs. Which one would you prefer and why? And which one do you believe is more likely to universally predict risky employee behavior – a model based on personal behavioral triggers, or one based only on observed past behavior? And then add this fact: just because somebody did something once, do they always do it again? If so, why do we even bother focusing on remediating detected behavior at all?
So What Is the Optimal Approach to Managing Human Risk?
For large enterprises especially, a combination of both predictive analytics and personality assessments may be beneficial. For example, you could use predictive analytics to forecast general and system-specific online behavior and then incorporate personality traits to understand the underlying motivations or preferences driving those behaviors. You could predict where more DLP instances are likely to occur based on past behavior, and then target remediating those risky behaviors more quickly in that specific user population through personalization.
Our patented Human Defense Platform incorporates everything you are currently doing with any source, vendor, or method and integrates it into our proprietary risk quantification and remediation methods. We help you apply cybersecurity information engineering to establish visible metrics that make the most sense to focus on, report, and manage for maximum impact. We help you establish a risk-adjusted ROI to defend and extend your security investment by tying it to improved business results. And ensure you reduce total training time while improving training outcomes to build a case for support for security efforts.
To access a demo of the most comprehensive human risk management platform offered today, please contact us at sales@cyberconIQ.com. Or peruse our website and learn more about our patented, proven methods that can also work for you!