I knew data would be central to the CybSafe premise from the minute the idea hit me.
At the time, I was helping organisations in different parts of the world counter cyberthreats, and it had become obvious that no surefire way of reducing human cyber-risk yet existed.
As a former public servant and a tech fanatic, I wanted to build something that kept people and organisations safe online. And I knew data would be crucial to achieving the goal—because of an age-old security conundrum that still plagues the security industry today.
Solving a Security Conundrum
The conundrum is simple:
Why is it that, over the years, we’ve failed to meaningfully address the human aspect of cybersecurity?
Today, the majority of an increasing absolute number of data breaches still involve some form of human error, despite seemingly ever-increasing investment in security awareness training.
Why is it that traditional security awareness training is failing?
Security Awareness Training Falls Short
While it’s impossible to say for certain, the history of security awareness training offers some clues.
When cyberthreats first became apparent, regulators naturally stepped in. They demanded companies in regulated markets take steps to counter cyberthreats—and early security awareness training was born. Unfortunately, the whole thing was a tick-box exercise. Organisations needed security awareness training to comply with laws, so security awareness training was compliance-based. People would sit the annual bout of training, then go back to their desks and ignore everything they’d just learned. Training raised security awareness, but it did little to change people’s behaviour, or foster a culture of security.
To reduce cyber-risk, CISOs must change security awareness, behaviours and culture in tandem. And that’s where data comes in.
It Makes Sense to Analyse Data
Historically, data, metrics, measurement and insights have forever helped humans solve pressing challenges. They’re the very foundation of scientific progress. In any arena, analysing data allows us to see what’s working, what’s not, and to continually improve.
Today, we are living in an era of data (one of the reasons cybersecurity has become such a hot topic of late).
Could a focus on data, metrics, measurement and insight demonstrably reduce organisations’ human cyber-risk?
Using Data to Enhance Cyber Resilience
Here’s how it works. First, you study research into the human aspect of cybersecurity to deduce indicators of security awareness, behaviours and culture. Then, naturally, you take initial measurements of each indicator. You can do this in a number of ways—situational tests might reveal awareness, simulated attacks might reveal behaviours, and a tool like C-CAT might reveal cybersecurity culture.
Metrics and insights alone, of course, aren’t enough. You need to pair them with security interventions designed to nudge the metrics in the right direction. At CybSafe, we design security interventions with input from security experts, psychologists and behavioural scientists to ensure they’re both scientifically valid and scientifically reliable. Armed with your interventions, you can begin your security awareness campaign.
By taking further measurements throughout, you can see what’s working, what’s not and improve—just as humans have done throughout history.
Campaigns of the Future
Using rich datasets to address the human aspect of cybersecurity is a new concept—but I can say from firsthand experience, it’s working well.
Simply by looking at recorded data, CISOs can say, for example, that 94% more people know how to secure unsecured Wi-Fi (an awareness metric) following a campaign. You can say that, following the same campaign, 100% more people are able to spot simulated attacks (a behaviour metric). Or that 83% more people see themselves as part of your cyber defence (a culture metric).
Today, the majority of security awareness training might still be designed to appease regulators or tick boxes. Over time, I predict a focus on data will become the norm.
Focusing on data allows CISOs to actively manage people-related cyber-risk in a new and dynamic way.