Conventional approaches to security training are insufficient to meet the rising tide of cybersecurity threats. Conducting a risk assessment is the first step in identifying the highest risks to human behavior, and mitigating those risks is how the security culture of an organization is changed.
In today's digital landscape, where data breaches and cyber threats are everywhere, organizations must recognize that human behavior represents a critical vulnerability. According to the 2024 Verizon Data Breach Investigations Report, nearly seventy percent of data breaches involve human interaction.Footnote1 This statistic underscores a pressing need to shift how organizations approach cybersecurity beyond traditional technical measures.
The Limitations of Security Awareness Training
Historically, many organizations have relied heavily on security awareness training as the primary method to educate members of the institutional community—including students, faculty, and staff—on the cybersecurity dangers in the world. However, the effectiveness of such programs often falls short. Usually compliance-driven, these trainings can become routine and uninspired, and they often fail to engage their audience meaningfully. Questions arise about the relevance of topics covered, the retention of information, and the practical applicability in real-world scenarios.
The Current State of Security Culture
An organization's security culture is the adaptation of safeguards to protect its digital and physical assets. In plain terms, this culture could be weak, moderate, or strong, embodying the following characteristics:
- Weak culture: People exhibit wrong behaviors even when told what to do.
- Moderate culture: People exhibit the correct behaviors when told what to do.
- Strong culture: People exhibit the right behaviors even when they are not told what to do.
An example that illustrates these cultural differences is passwords. In a weak culture, individuals are likely to reuse passwords that contain their names and birthdates. In a moderate culture, individuals will create unique and strong passwords after training. In a strong culture, those individuals will have already created strong, unique passwords and will champion the use of such to coworkers.
Embracing Human Risk Management
To truly foster a strong security culture, organizations must adopt a proactive approach that goes beyond awareness. Human risk management (HRM) emerges as a comprehensive strategy focused on understanding, assessing, and mitigating human-centric vulnerabilities. At its core, HRM involves conducting thorough risk assessments to identify the most critical human-related risks within an organization. These assessments serve as a foundational step toward cultivating a security culture ingrained in everyday practices.
Developing and Delivering a Better Kind of Training
Maturing your security awareness program to HRM requires changes at an intrinsic level. Security awareness training is usually compliance-focused, computer-based training that checks a box. HRM is focused on risk and results and continually engages with an audience. The results change the behavior of individuals and the security culture of the entire organization. Unlike conventional security awareness training, which tends to be deprioritized and is often created by a part-time role, HRM is part of the overall security strategy and must be developed by a full-time employee or team.
The following seven steps are essential areas to consider when maturing a program beyond conventional approaches, expanding the scope and understanding of how to minimize the risks posed by human behavior:
1. Identify Significant Human Risks
Key stakeholders such as incident response teams, service or help desks, and security operations centers (SOCs) play pivotal roles in identifying high risks associated with human behavior. By analyzing incident reports and trends, organizations can pinpoint areas of vulnerability, whether through inadvertent errors or targeted, malicious actions. This holistic approach extends beyond traditional cybersecurity realms to include physical security considerations and emerging threats such as AI-driven deepfakes.
2. Address Insider Threats
Insider threats remain a significant concern, encompassing both malicious intent and negligent actions. Whereas malicious activities often aim for financial gain and can be monitored through sophisticated systems, negligent behaviors, such as falling victim to phishing scams, underscore the importance of targeted educational efforts. Examples of negligent behavior include the person who didn't understand not to send sensitive information unencrypted or thoughtlessly clicked on a link in a suspicious email. Training programs developed for the highest risks of negligent behavior will reduce human risk for the organization.
3. Face the Very High Risk of Phishing
As noted in the Verizon report, most data breaches are attributable to human factors, underscoring the need to prioritize phishing as a top risk. This is particularly pertinent in higher education, where email addresses end in .edu, a domain generally reserved for those associated with an accredited college or university. Because of this accreditation, .edu emails often bypass conventional spam filters—they are considered inherently safe. Compromised .edu addresses can be blocked after discovery, but they have a greater chance of getting to inboxes, being read, and being acted upon by unsuspecting recipients. These email addresses are highly valued on the dark web. Magicspam.com reported that in 2022, the price for 10 million U.S. email addresses was $120 ($0.000012 each).Footnote2 According to an article by Dark Reading, stolen credentials from U.S. colleges and universities are sold for between $3.50 and $10 each.Footnote3
4. Mature the Security Culture
Central to HRM is the concept of maturing the security culture within an organization. Beyond compliance-driven awareness, fostering a strong security culture involves instilling trust, approachability, and respect for security practices among the entire organizational community, including faculty, staff, students, and volunteers. This cultural shift empowers individuals to make informed decisions and take proactive measures to safeguard organizational assets.
5. Move Beyond Awareness
Differentiating HRM from traditional awareness training, the emphasis for the former lies in continuous engagement and practical application through engaging instructional activities. Effective HRM initiatives leverage varied learning formats—from newsletters and posters to interactive simulations and gamified exercises—that resonate with diverse audiences. By personalizing training content and emphasizing actionable goals, organizations can enhance retention and empower individuals to respond effectively to security threats.
6. Invest in Resources for Success
Successful HRM initiatives require dedicated resources beyond financial investment. A crucial element is identifying and empowering excellent communicators who are enthusiastic about these cybersecurity topics and who can openly engage with various audiences to get a point across in language they understand. Collaboration with communications and marketing teams can further personalize training efforts, making cybersecurity relevant and impactful to users' daily lives.
7. Cultivate Security Champions
Ultimately, the goal of HRM is to cultivate security champions within an organization. These champions not only comply with security best practices themselves but also advocate for improved security habits across teams and departments. By demonstrating the tangible impact of cybersecurity on personal and professional levels, organizations can foster collaboration to safeguard sensitive information.
Free Resources
Although budgetary constraints can give the perception that a program cannot be developed, free resources are available from the cybersecurity industry and the U.S. federal government:
- SANS provides a monthly newsletter titled OUCH!
- Living Security's "Campaign in a Box!" offers many different delivery styles for the message being delivered, such as email, news releases, social media, and chat.
- The National Cybersecurity Alliance (NCA), which developed Cybersecurity Awareness Month and the "Stay Safe Online" campaign, provides free video series and many other resources.
- The Federal Trade Commission (FTC) offers many cybersecurity resources and free printed material.
These resources and many others found online can play a pivotal role by offering foundational information without the need for an initial financial investment.
Conclusion
While security awareness training remains a staple of institutional cybersecurity efforts, evolving threats require a more targeted approach through human risk management. By integrating HRM into the organizational fabric through risk assessments, targeted education, and cultural reinforcement, organizations can fortify their defenses against human-related vulnerabilities. Embracing this strategic shift empowers organizations to mitigate risks effectively and develop a resilient security posture that adapts to evolving cyber threats.
Notes
- 2024 Data Breach Investigations Report, Verizon Business, 2024. Jump back to footnote 1 in the text.
- "Dark Web Price Index: The Cost of Email Data," MagicSpam, September 12, 2022. Jump back to footnote 2 in the text.
- Kelly Jackson Higgins, "Millions of Stolen US University Emails Credentials for Sale on the Dark Web," Dark Reading, March 29, 2017. Jump back to footnote 3 in the text.
Chris Madeksho is Lead Cybersecurity Analyst at The University of Tennessee Health Science Center.
© 2024 Chris Madeksho. The content of this work is licensed under a Creative Commons BY 4.0 International License.