The human element remains a key factor in cyber security breaches, with industry reports attributing up to 90% of incidents to human action or error. Mitigating human risk requires new approaches to human risk management (HRM), in which organisations systematically identify, measure and mitigate human-derived risk through a continuous, data-driven process.
This is according to Javvad Malik, Lead CISO advisor at KnowBe4, who was speaking during a webinar on human risk management hosted by KnowBe4, in partnership with ITWeb.
“Traditional security awareness training is not effective today. It’s reached as far as it can go,” he said. “People are bombarded with so many attacks from so many vectors, and many of them are not malware – they are literally people on the phone pretending to be someone else. On top of that, criminals have more tools – they are leveraging AI to create perfect phishing e-mails. Humans are still the most accessible to criminals and they target us accordingly. Therefore, we need to shift away from the mindset of wanting people to know better, to enabling them to do better.”
He explained that HRM is a mindset shift away from awareness training, using behavioural datasets, training and simulation performance, user-reported intelligence and security tool integrations.
Malik outlined KnowBe4’s DEEP model for HRM – Defend, Educate, Empower, Protect – to transform employees from a point of vulnerability into a proactive and resilient line of defence.
He said cyber security education had to become more personalised, relevant, timely and easy to consume. “We can’t rely solely on education: we also need to empower people to take action on that education, to create a positive security culture. HRM adds two more layers to education and empowerment. These are a defensive layer that stops attacks from reaching people, and – acknowledging that some attacks do get through – having protection layers in place to limit fallout from attacks,” Malik said. “This approach blends technology and a human approach.”
He highlighted four common categories of people who present security risks: users targeted by external attackers, users who make genuine mistakes, ‘convenience bypassers’ who bypass policy for efficiency, and malicious insiders.
“There could be different approaches to take for each category,” Malik said. “For example, if someone is a convenience bypasser, they are aware of the risks and education won't change their behaviour. What will change their behaviour is to empower them with better tools that are more convenient, but more secure.
“If accidental insiders make genuine mistakes like using weak passwords, we could scan the dark web to see if anyone has weak passwords, scan our own passwords, as well as educating them on the need for strong passwords and introducing a password manager and multifactor authentication.”
Malik noted: “We must acknowledge that nearly every control we put in place adds a bit of friction to people’s lives. So we need to work with human nature to maximise the benefits. Your controls should be like ordering a pizza – easy to do, quick to arrive and satisfying to use.”
He recommended creating an environment that nudges people towards the desired behaviour – for example, using a digital password meter that automatically rates a password’s strength.
“We need to design the system in a way that encourages people towards good behaviours,” he said. “We need to be consistent and reinforce what behaviours we want.
“Our security controls must take into account how people will behave. We must identify friction points, remove barriers and add enablers,” he said.
Malik recommended shifting from awareness to focusing on behaviour, supported by technology. He emphasised the importance of risk quantification, personalisation and context. “Positive framing is also key – we need to build a positive security culture, not a culture of fear,” he concluded.
For more information, see the KnowBe4 white paper: ‘A Strategic Framework for Human Risk Management’.
Share