Friday, June 14, 2024

Translating the Value of Security Behavior Change to the C-Suite

The tactics, techniques and behaviors utilized by cybercriminals continue to rapidly evolve. Modern enterprises operate in an environment where human-targeted attacks are bypassing their technical layers with increasing volume, velocity, and vigor. Hence, humans have become the most critical component of successfully mitigating high magnitudes of malicious activity. Stats from the World Economic Forum Global Risk Report indicate that an alarming 95% of all cybersecurity issues can be traced back to human error.

Fraudulent campaigns targeting people are becoming harder to detect and so it comes as no surprise that high volumes of victims are falling for phishing and social engineering attacks. These attacks are increasing in sophistication, with bad actors utilizing human psychology and behavioral methods when crafting their malicious campaigns. They use impersonation, persuasion techniques, establishing credibility and trust to coax people to take action. Forfeiting passwords, downloading malware, or paying a bogus invoice just to name a few. The surging complexity of such attacks requires organizations to take a different approach to equip employees with the knowledge and tools to identify online dangers and protect company assets from attackers’ manipulation.

To reduce human risk, security and risk leaders must evolve their focus from simple compliance and awareness, to true behavior change. Behavior change, referring to the transformation or modification of human behavior. Behavioral science strategies that utilize nudge theory and short positive micro training will enable employees to exhibit the right cyber behavior and recognize sophisticated social engineering attacks.

While a relatively new concept, a recent Gartner report found that 84 percent of cybersecurity leaders want to mitigate risk by managing employee behavior, yet under half (43 percent) are putting mechanisms in place to achieve this. Why? Well, some argue that it is difficult to measure the return on investment of such activities, especially as boardrooms operate with increased scrutiny and grapple with reduced spend due to ongoing economic unrest. CISOs are already struggling to receive basic resources, let alone trying to vie for additional funding to implement new concepts.

However, the business case for changing employee attitudes and behaviors towards security risks could not be more profound. People play an equally important role in your defense work as technology. For security leaders, there are several ways to effectively communicate the value for a people-first, behavioral approach to security training.

Cost Saving Incentives:

The most significant factor is the potential reduction in operating costs. Phishing attacks, according to 2021 research by the Ponemon Institute, cost large organizations around $15 million annually, or more than $1,500 per employee. Having employees equipped with the behavioral characteristics required to decipher between malicious and benign activity drastically reduces the likelihood of an attack occurring and thus reduces the potential for negative financial implications.

Reduced Security Burnout: 

In 2022, 66 percent of cybersecurity professionals experienced burnout as a result of increased workload in response to elevating threats and increased demands from company executives. By implementing initiatives that require all employees to develop a high-level security competency and the ability to identify and report suspicious activity to security operations teams, it can help reduce the strain on security analysts and enable them to focus on more high priority tasks. Within all organizations, we must move away from the mindset that security is only the responsibility of security teams. Combining all employees to work with specialized security teams will protect the human targets cybercriminals are targeting to penetrate a company’s network.

High Skill Retention: 

Outdated, traditional security training methods such as computer-based training (CBT), fail to invoke positive changes. Most times, these training practices only serve as a check box exercise to meet compliance requirements or to obtain cyber insurance. They are infrequent, simplistic techniques, most of the time failing to incorporate the role, location and skill levels of each user. Utilizing methods which instead focus on behavioral change, through positive reinforcement, rewards, varying difficulty levels and regular frequencies, users are more likely to not only detect threats but also work with security teams to ensure risks are effectively migrated.

Measurable Performance, Risk Reduction, and ROI:

Security behavior change programs simultaneously track the organization’s rates of reporting, neglecting, and failing simulated phishing attacks. As the training goes along, those metrics should improve such that success rates rise and miss rates and failure rates decline. Those trends paint a clear picture of improved risk posture. That helps the CISO communicate the ROI of the program in business-positive terms that executive leadership appreciates, without getting lost in minutiae. You can also track the improvements in the speed of threat reporting and SOC response to real incidents. It’s an altogether robust set of data that plays well at board meetings.