“Any form of intervention or interaction that you have with the user has got the potential to be seen as punitive.”
— Jinan Budge, Principal Analyst, Forrester
So, you missed the webinar. And now you want a cheat sheet. Sigh.
Seriously though, we know you’re busy. That’s why we recorded the webinar. And that’s why we’re giving you on-demand access. We’re kinda like Netflix. But so much cooler!
And, in case you need them, here are some of the highlights:
1. ‘Security behaviour’ isn’t what you think it is
The industry’s got it all wrong. Yes, the whole damn industry.
Turns out, security behaviour has been used as a synonym for engagement. So, when you hear ‘measuring security behaviour’, you might think ‘measuring engagement’.
And why’s that a big deal, you ask? Because there’s more to quantifying risk than counting the number of people that attended a tick-box training session.
Speaking of quantifying risk . . .
2. There are over 87 risky security behaviours
Yeah, 87. And counting. That’s according to SebDB.
87. It’s a pretty shocking number, isn’t it? But it shouldn’t be. The only reason it would take you by surprise is because the industry’s been focused on specific security behaviours.
You know, things like click rates on phishing emails.
Don’t get us wrong. Measuring click rates is great. Measuring click rates to the exclusion of other security behaviours – not so great.
But that’s not all . . .
3. Your internal policies are holding you back
That’s right, you’re standing in your own way.
Don’t look at human risk in the context of compliance with policy. By that logic, the more your people follow the rules, the less risk you have.
And that’s true. To an extent.
While measuring mandatory behaviour is important. It’s just as important to measure non-mandatory behaviour. For example, how many people use password managers even though they aren’t obliged to?
Understanding what people do both in and outside of the context of policy will give you a good overview of your people’s security behaviours.
While we’re on the subject of people . . .
4. You should take feelings into account
Feelings influence behaviour. But you know that.
Despite that, people’s thoughts and feelings are often ignored when measuring security behaviour. And measuring behaviour isn’t just about what your people do. It’s also about why they do it.
You’re not going to get the answers you’re looking for until you create an environment that encourages sharing.
Kevin Fielder, the Chief Information Security Officer (CISO) at FNZ Group, put it this way: “Every engagement must be as positive as possible.”
Of course, this kind of cultural change can only mean one thing . . .
5. Revolution is coming
Just a couple of years ago, the word ‘culture’ was frowned upon.
Today, we’re seeing more organisations and vendors rejecting the status quo. We’re seeing the rise of human risk quantification. We’re seeing, dare we say it, change.
And you’re going to be part of it. Sooner or later.
As regulations evolve and auditors adjust their requirements, risk quantification is going to take centre stage. And rightfully so.
It’s just a matter of time.
Want the full rundown? You can watch the webinar recording here.