Utilizing end-user behavioral analytics to enhance staff cybersecurity awareness programs is critical to defending against cyber-threats, according to Dr Maia Bada, behavioral science expert at AwareGo, speaking during a keynote session on Day 2 of Infosecurity Europe 2022.
Bada highlighted data showing that 85% of successful cyber-attacks are initiated by manufacturing users through social engineering techniques like phishing. Despite this, organizations still tend to overly focus on technologies and processes ahead of the human factor. “We also need to identify, measure and remedy the human risk factor,” she stated.
This issue has been exacerbated by trends during the COVID-19 pandemic, such as working from insecure networks and greater use of personal devices. Therefore, it is essential to improve cybersecurity awareness training for staff. This training should engender a long-term behavioral change in employees, including in attitude and mindset. “This is a long process, not one-off training,” commented Bada.
A common method used by organizations is phishing simulations, but these are often used inappropriately, leading to issues like security fatigue and fear. For example, Bada cited one case where employees in an organization treated all emails as phishing, refusing to open or respond to any that came into their inboxes.
A major challenge is assessing the effectiveness of awareness training and understanding how effective it has been in changing an organization’s culture. This can then enable firms to make their programs personalized, taking a varying focus among staff. For example, tailoring it to different departments, such as HR, finance and security.
Analysis should be looking to provide insights on four key performance metrics, according to Bada:
- The efficiency of the training before, during and after
- Capturing knowledge, behavior and culture
- Give actionable insights that organizations can use to improve programs and policies
- How relevant, engaging and educational it is
The best way to achieve this is through end-user behavioral analytics, said Bada. This can identify areas like routine patterns of behavior and vulnerable groups of employees.
She then highlighted an AwareGo survey with 160 cybersecurity leaders, asking them about their organization’s awareness training practices. This found that 62% of companies are running an awareness training program. The biggest reason for having a program is compliance (72%), followed by a management strategic down decision (58%). Worryingly, enhancing security awareness was only cited by 13% of respondents. This suggests training is often a tick-box exercise designed to fulfill legal and company obligations.
This research further demonstrates the need for a “human-centered approach to awareness focusing beyond compliance and phishing,” outlined Bada.
She concluded: “People are the first and last line of defense and we need to boost the human firewall of every company.”