Many things in life can be measured. Our height, the distance we ran, how short our last relationship was…
It’s no different when it comes to cyber security. Human-cyber risk can be measured. But where do you begin? Pull up a chair and grab a snack, let’s explore the wonderful world of metrics!
Metrics shine a light on effective defences are against cyber attacks. They serve as a benchmark for security professionals, and are a useful tool to manage human-cyber risk.
“Why do we need to manage human-cyber risk?”, you may ask? The stats speak for themselves…
CybSafe’s research with the National Cybersecurity Alliance revealed nearly a third (31%) of respondents either “sometimes,” “rarely,” or “never” install software updates. It goes to show there is room for improvement.
But what metrics can be used to track human-cyber risk? And how can you measure success?
The best metrics are meaningful
Sometimes, it can be easy to fail in measuring human-cyber risk because the tools used are shallow. Improving knowledge on cyber security is useful but it is not enough. If anything, employees that only complete tick-box exercises can do more harm than good.
It’s not that standard security training for your staff isn’t essential. It is. But wouldn’t it be way better to be fully equipped to fight off cyber attacks?
Don’t just take our word for it, other businesses have realised too. The European Systemic Risk Board (ESRB) recently released a survey. It showed ineffective testing of people, processes and technology was a vulnerability of high priority.
How can things change? It’s all in knowing your ABCs or awareness, behaviour and culture. If people can improve their ABCs when it comes to cyber security, a change can be made for the better.
Metrics in practice
Let’s start with awareness. How can it improve? Recognising a threat and knowing how to mitigate it is a great start.
Insightful activities such as workshops and quizzes are amazing awareness tools. They are fun and interactive. They are an effective way of teaching people how to identify risks.
These activities are useful for another important reason. Interactive measures are a good way of gauging how long it takes before someone forgets the things they have learned.
Workshops and activities are most effective when done regularly. This helps to build the knowledge retention of people.
Information provided in these activities can help people to know where to get help if they ever face a cyber attack.
So, security awareness knowledge is foundational. But, behavioural and cultural metrics are important too.
Behaviour often happens within a context. It’s easy to assume, rather than measure behaviour. It happens often and it is a habit to break.
Take password hygiene. Assuming people have bad password habits and raising awareness around this will not always guarantee behaviour change.
A little nudge can help: Information on how often a password has been leaked and stronger password alternatives are key.
People are more likely to be aware of risks if they can understand how close they are to danger. More importantly, people will be willing to change their habits for the better.
A supportive culture
As mentioned before, measuring culture works. It can provide insight into how people feel about security, leadership and trust at your organisation.
Having a culture that is safe and trusting plays a key role when it comes to cyber security. It helps people feel more confident to speak up about cyber risks.
Awareness, behaviour and culture lay the groundwork for a well-rounded view of human-cyber risk management. It isn’t as simple as singing ABC! You may find it takes time to implement these metrics. But it will be time well spent.
Metrics that measure the effectiveness of ABC take it to the next level. That’s where the magic happens!
A time to reflect
Looking at the delivery of campaigns is a good way of knowing where to go next. This can range from how you decided to deliver ABC campaigns, to planning how the outcome of your campaign will be measured. CybSafe’s whitepaper, Meaningful Metrics for Human Cyber Risk, is filled with more nuggets of wisdom to make metrics work for you.
Making that first step
CybSafe is here to support you with every step of your cyber journey. You should feel secure each time you go online.
Easy-to-understand reports on human-cyber risk are provided for your organisation. As well as tailored recommendations so your actions can have the best impact on your company.
CybSafe’s software will help you to understand the impact of human-cyber risk, as well as supporting people to make the best security decisions possible.
Any questions? Please ask.