Security awareness and training is a method, not an outcome
Editor’s note: The following is a guest article from Jinan Budge, VP, Principal Analyst at Forrester.
For decades, firms have relied on security awareness and training to address the human side of security. Recommendations for dealing with human-related attacks were limited to this one silver bullet.
Despite 97% of organizations reporting that they undertake SA&T, human-related attacks, such as business email compromise, have quadrupled.
CISOs haven’t instilled security cultures in their organizations and training continues to cause friction for learners. No one knows what behaviors change because of this training.
In 2024, the idea of human risk management shifted from concept to reality, with frustrated CISOs and their teams looking for solutions that take away the reliance on humans to keep up with security and for alternatives to SA&T to make real change.
SA&T vendors now use HRM in their branding and major SA&T events have been renamed to incorporate HRM. Human risk management maturity models have emerged and job descriptions have evolved to focus on security behavior change, culture and managing human risk.
Businesses should use human risk management to:
- Detect and measure human security behaviors and quantify the human risk.
- Initiate policy and training interventions based on human risk.
- Educate and enable the workforce to protect themselves and their organization against cyberattacks.
- Build a positive security culture.
With HRM, satisfying often outdated regulatory requirements — the traditional purpose of one-size-fits-all SA&T — becomes a secondary use case.
The past, present and future of HRM
In looking holistically at a pending shift from SA&T to HRM, Forrester anticipates the following changes taking place:
In the short term, most organizations will still focus on training but not for long.
For two decades, security teams and vendors improved security training slowly and incrementally. They focused on the methods by which we train people rather than the outcomes — in other words, SA&T.
While this satisfied regulatory requirements for security training, it also achieved little else. Many firms are now exploring the shift to HRM while continuing to train.
In the medium term, the security function will redirect its focus toward human behavior, risk and culture.
HRM will overcome SA&T’s shortcomings. Positively influencing employee security behavior and instilling a security culture will be driven by evidence-based human risk management. Innovators and early adopters are already using HRM, with most firms expected to do so within four years.
In the long term, organizations will move toward adaptive human protection.
This means people, processes, and technologies working together to detect and anticipate human security behaviors.
This also means adjusting policies, training, and technologies to protect humans in a way that requires minimal or no effort on their part.
This future is realistically years — likely five to eight — into the future for most.
Security leaders must embrace the future
Early HRM adopters demonstrate a significant change of mindset, strategy, process and technology related to approaching the problem of human-related breaches in a new way. To move toward this future, security leaders should:
Change and uplift the intent, scope and nomenclature of your SA&T.
Modify the language you use to describe the program to reflect the goal. This means changing your team and program names to show your intent — taking the lead from CISOs who have created digital user behavior teams, human risk management programs, or director roles for cyber influence and engagement.
Don’t just guess behavior change — measure it.
Look to measure security behaviors across the spectrum of security categories by integrating with familiar security tools, including email, social engineering and endpoint.
Baseline existing behaviors and measure how these behaviors have changed because of training.
Quantify human risk comprehensively and accurately.
Quiz scores and engagement rates are metrics from a bygone era.
Use a comprehensive and accurate methodology to quantify human risk, which considers four key points: individuals’ actual behaviors, identity, personal attack exposure, and security knowledge and sentiment.
Focus on outcomes and effectiveness.
Training completion rates and engagement scores measure activity, but they don’t tell you how effective your training is. HRM metrics should demonstrate behavioral change, risk reduction, or an improvement in overall security posture.
Provide interventions and actionable guidance at the right time and in the right place.
Intervene at the point of risky behavior, depending on the person’s or team’s risk score and their behavior.
Interventions can be policy-based, such as blocking privileges, or training-based, such as nudging, coaching, or notifying users at the point of a risky action.
This step removes the friction and productivity problems caused by one-size-fits-all training.
Partner with the right vendor.
Don’t do this alone — building a capability to do the above is costly and complicated. Your SA&T vendor is likely to have shifted its solution to HRM or is in the process of doing so.
Take care, though — while most SA&T vendors grasp the need for disruption and are shifting their mindset, strategy, technology and nomenclature, they’re approaching the transition with different levels of urgency and clarity.
Look for vendors that built their HRM capabilities long before you asked about them, because they knew it was the right thing to do, and that are set up with the right sales, customer success, and roadmap mechanisms to take you through the journey.
link