Why we need new and better human cyber risk metrics

CybSafe

We are CybSafe. We’re a British cyber security and data analytics company.

February 12, 2020

To make a difference as a security professional today, you need board support. You need resources. You need directors to trust and back you. You need organisational leaders to promote security.

So whenever you have the board’s attention – or the attention of those who report back to the board – you make your case. You answer questions with utmost clarity. You hope you’ve delivered your message – and that the board won’t simply sweep cyber security under the rug.

However…

Today, the stats suggest there’s about a 46% chance that’s exactly what they’ll do.

 

Why boards disregard cyber security

 

In March 2019, the UK government published its latest (at the time of writing) Cyber Governance Health Check. Among other things, the Check explores how FTSE350 companies are currently managing their cyber risk. The focus is largely on the board, and the Check’s findings are revealing.

As far as we know, most boards (72%) see cyber security as a top-tier risk. Yet just 46% of FTSE350 companies have a dedicated cyber security budget. And almost exactly the same proportion – 47% – believe cyber risk reporting to be incomplete. 

That may or may not be a coincidence. Either way, the take-home is clear.

As security professionals, we need to improve our reports on cyber risk.

 

Shallow metrics don’t reveal risk

 

The majority of risk reports today – such as technological cyber risk reports – have a clearly defined structure. Based on frameworks, they cover things like risk appetite and risk-mitigation measures. 

When it comes to human cyber risk reports, however, no such framework exists.

Typical human cyber risk reports show training completion rates. They show awareness test results. Sometimes, they show the click-rates of simulated phishing attacks. While all might be related to human cyber risk, they’re shallow metrics. They simply do not reveal human cyber risk in its totality – which encompasses security awareness, behaviours and culture.

So when 47% of boards label cyber risk reports as incomplete, can we really blame them?

It’s likely they have a point.

 

Better metrics for human cyber risk

 

To ensure boards can see and act on the true level of human cyber risk our organisations face, we need to begin tracking meaningful metrics of human cyber risk. 

That’s a lot easier to say than it is to act on. But if our industry is going to continue to advance, we need to welcome the challenge. 

That’s the thinking behind CybSafe’s latest whitepaper, Meaningful Metrics for Human Cyber Risk, which we’re currently sharing with the security community for free here

When we track meaningful metrics of human cyber risk, we can be certain our human cyber risk is moving in the right direction.

More importantly, by monitoring meaningful metrics of human cyber risk, we can keep more people and societies safe online.

How to make sure remote workers learn security skills from others – Part 2

How to make sure remote workers learn security skills from others – Part 2

As we discussed in part one of this post, isolation restricts remote worker security. (Read part one here before continuing.) Remote workers can’t watch others. They rarely receive verbal feedback. And even if they did, remote workers tend to feel their environment prevents security – which limits their learning. That’s all proven to cap remote worker security. So what can you do about it?

read more