Generative artificial intelligence, or GenAI, is the term used to describe data-led algorithms (such as ChatGPT) that can be used to create new content, including audio, code, images, text, simulations, and videos. Recent accelerated developments in the field have created a tangible potential to drastically change the way we approach content creation.
It’s still in a very early and adoptive stage, but many business leaders within organizations are considering GenAI and how it can be harnessed to enhance and maintain existing business flows. At the core of any change management program, these business leaders are concerned with efficiency, effectiveness, and cost management.
At the same time, most people who are looking at this for their organizations are not necessarily experts in machine learning. They are experts in guiding organizations to take business-driven and value-enhancing decisions in the safest possible way. They are cyber risk professionals adept and managing and mitigating risk.
When it comes to GenAI and the focus on human cyber risk, our focus is on behavior – and on influencing strong security cultures. Cyber risk professionals are increasingly keen to map security behaviors against risk outcomes in order to align with the frameworks relevant to their businesses. Most practitioners would agree that human cyber risk is not simply about “training” and that “content production” isn’t the sole aspect of a successful awareness program. While confident that GenAI can make it easier than ever to produce “more” and “better” content, this is not the sole objective. If anything, the objective is to increase positive security cultures and reduce risk as a key result of socializing this great content.
In essence, we are increasingly concerned about the quality of content, its delivery method, and timing. This is the essence of giving people the help they need when they need it. As such, how we can effectively deliver and make the content more personalized will be a key factor in increasing the impact of such content, and hence the impact of harnessing GenAI for the power of lowering human risk. GenAI can make the content contextually relevant. A measurement of impact will therefore be a measure of how relevant these interventions are.
GenAI is, of course, not just about content. It can also be used to write code, gather intel and enhance the effectiveness of deepfakes. It additionally has the power to be incredibly democratizing. Mobile technology may accelerate the impact of GenAI, and we could see this being a great equalizer for certain regions of the world. GenAI will certainly change the landscape of phishing and associated social engineering. However, it will not change what good security behaviors and culture looks like.
We are likely to see a cost-effective scaleup in security education and training as well as personalized cybersecurity support. In theory, we could also see an increase in digital security assistance adoption or chatbots as well as advanced threat protection. This may well be determined by an organization’s current digitalization and interoperability of systems.
For human security awareness, a good place to focus is on behavior and addressing the behaviors that are important to organizations. This must be balanced against privacy rights, and the restrictions on profiling. In particular, having concern for the rights and freedoms of individuals and any automated decision that might be made as a result of that profiling.
This is different to identifying security behaviors and influencing a better security culture. The objective is not to identify individuals but rather behaviors and behavior trends in organizations. The priority therefore is to increase security awareness and build a stronger security culture. As such, organizations who are really interested in human cyber risk will be looking at security behaviors and the associated risks.
Risks are specific to businesses so security leaders will be looking at risks that matter to their business value chain, and as such the behaviors that might increase or lower those risks. What we mean in a very granular sense is that we are looking at threats and risks. A threat is a potential for a threat agent or insider (malicious or otherwise) to exploit a vulnerability. The risk is the potential for loss when the threat happens. The behaviors that employees exhibit can have a strong impact on the success or failure of the exploitation of the vulnerabilities. GenAI can have a huge impact in measuring patterns and predicting future patterns. Security professionals can now use the data analysis to lower risk.
Some would say it’s the single biggest development in the last few years. Most can agree that there are huge opportunities surrounding GenAI. With great opportunities often come great risks. However, like with all big risks, just because it “may” happen doesn’t mean it will happen. So we should look at the likelihood versus the impact and spend some time analyzing how GenAI can help with this. In harnessing the power of technology to measure patterns, we look at aspects such as the likelihood of certain events to materialize. We also measure what successful or corrective actions look like, their likelihood for success, and harness GenAI to help us identify the most impactful actions to take. This can also help organizations move up in the business maturity framework.
So what does GenAI mean for security awareness for organizations? The first thing is to remind ourselves what our organizations need in terms of support. Harnessing GenAI to that end will be pivotal in understanding the different types of threats but also the different opportunities, as well as creating content and delivering adaptive interventions, exactly what people need at the time that they need it.
GenAI has the power to accumulate key variables essential to effective security interventions and to introduce these with confidence. For those who are concerned about a potential AI-first strategy, it’s worth remembering that technology’s primary purpose is to solve problems. An AI-first approach could rapidly drive AI deployment across business operations, to solve substantial organizational and customer problems.
In conclusion, GenAI’s potential impact on the human aspect of cybersecurity is significant, both in terms of the risks that are presented as well as the successes that can be achieved in harnessing AI to change security behavior for the better. There are limitations to GenAI as it relies heavily on accuracy and the automation of processes to fully work to its capacity.
The main takeaway for right now is that there is huge potential but that we are still in the very early stages of adoption. Leaning into it will certainly help improve security culture in organizations. For EU-based organizations, a repository of models in use or development will be required – so knowing what is in hand will be essential to making that task manageable.
Human cyber risk practitioners would be wise to get familiar with the tools (early and often) so as to have meaningful influence on the ones that will eventually shape the future of their organizations.
