Skip to content
arrow-alt-circle-up icon

Cyber Incident Call

arrow-alt-circle-up icon

00800 1744 0000

arrow-alt-circle-up icon

ART

Introduction

As cyber security specialists we see a wide array of cyber incidents every year, from ransomware to e-espionage and insider threats. These incidents frequently have one thing in common: human behaviour plays a crucial role. Forrester, a well-known global market research company in relation to technology, predicts that 90 out of 100 data breaches will include the human element in 2024. Despite this clear importance, for many organisations the behavioural aspect of the maturity level lacks behind drastically compared to the maturity level in other cybersecurity topics.

Why does this gap exist? For some organisations, this is because behaviour is treated as a compliance checkbox: “We did a phishing campaign and an awareness session, so we meet the requirement”. However, research shows that such measures don’t effectively reduce data breaches. For others, the challenge lies in the complexity of human behaviour. Technical solutions are perceived as concrete, relatively easy to implement and measure, whereas behaviour is perceived as too complex to change and immeasurable. Unfortunately, threat actors actively exploit human vulnerabilities, and not all risks can be mitigated by technological solutions. We challenge the notion that behaviour cannot be measured or changed and argue that it is possible to truly activate the human protection layer if we move beyond the simplistic approaches.

human risk management

We at Northwave are not alone in this plea for taking human behaviour seriously. For example, Forrester, also known to be one of the most influential advisory firms in the world, rebranded their Security & Awareness category to Human Risk Management.

Human Risk Management is a strategic approach that focuses on managing and reducing cybersecurity risks related to human behaviour by detecting and quantifying those human risk factors and addressing them using evidence-based techniques. This contrasts with the more traditional awareness and training techniques in several areas:

The Human Risk Management approach can benefit you in the following ways:

  • Measure to reduce risk
    The traditional approach solely relies on best practices, gut feeling or irrelevant metrics such as completion rates to identify areas to improve, whereas Human Risk Management involves actively managing and reducing cybersecurity risks by measurement. Through detecting and quantifying the human risk element in your organisation and basing your interventions on those specific risks.

  • Effective interventions
    The traditional approach primarily focuses on one-size-fits-all awareness and training-sessions, with a focus on education and quizzes, whereas Human Risk Management uses evidence based, contextual, and integrated interventions in the context of your organisation’s risks, to achieve actual behavioural change.

  • Positive culture
    The traditional approach focuses on educating employees, whereas Human Risk Management aims to build a positive security culture by involving everyone on the organisation.

How do you get that human protection layer in position?

To transition from traditional awareness and training sessions to effective Human Risk Management, we thus need effective interventions to shape a positive culture. As with any risk management efforts, a Plan-Do-Check-Act cycle should be used in which you begin with assessment to identify the necessary adjustments for achieving behaviour change and continue through effective measurement.

Measurement to reduce risks

At Northwave, we take a risk-based and intel driven approach to inform our countermeasures. We see that CISOs are very capable to use tools like gap assessments and pen-tests to identify vulnerabilities in procedures or technology. Yet, assessing behaviour often relies on intuition. If any tests are used, it is limited to phishing tests. Unfortunately, these tests only scratch the surface. Crucial aspects of human risk elements such as incident reporting and password management are not captured, and challenges such as knowledge gaps, communication breakdowns, social norms and leadership influence are not identified. To foster lasting behaviour change, we argue that we need reliable measurements of the human risk element in cybersecurity.

reliable measurements concern 3 areas: 

✅ 1. Behaviour

Assess employees’ actions that influence the likelihood of cyberattacks. This includes behaviours like phishing susceptibility, password management, software updates, and data storage practices. Use a combination of self-reported data, tests (e.g., phishing simulations, password checks), and integrations with other sources (e.g., data form your security operations centre) to evaluate behaviour.
Some additional information in one line

✅ 2. Knowledge:

Measure employees’ minimum required knowledge for cyber safety, such as knowing where to report incidents. Knowledge tests can assess this aspect.
Some additional information in one line

✅ 3. Behavioural Determinants:

Identify factors influencing cybersafe behaviour, including obstacles and strengths. Employee questionnaires and/or user experience tests can evaluate these determinants.
Some additional information in one line

Measuring these elements offers several advantages. First, it reduces the risk of overlooking critical areas. Our data show that significant vulnerabilities often differ from those identified by security professionals. For example, a company may assume that passwordless login eliminates password-related issues, but employees often still use dozens unsecured work-related accounts and apps. Second, human attention and motivation are limited. Unnecessary information and annoying tasks can reduce engagement. Therefore, focusing on behaviour, knowledge and behavioural determinants that truly matter prevents overburdening employees and maintains motivation. Third, measurement enables us to track intervention effectiveness and make necessary adjustments.

Selecting effective interventions and creating a positive culture

Effective human risk management requires a holistic approach, that targets three key aspects that are crucial in making the movement from awareness to culture: leadership, landscape and learning.

Globe

Leadership

To build a positive cybersecurity culture, it is crucial to engage all levels of leadership in your organisation. Their involvement and sense of ownership over the topic of cybersecurity can drive behaviour change interventions, whereas a passive stance and relying on the CISO guarantees that behaviour security maturity will remain low.

Leaders influence the behaviour of your employees in various ways. First, leaders shape work conditions. If time constrains exist, employees may neglect e-learning, updates or password management. Prioritising these activities ensures participation. Second, Leaders lead by example. Even a single PowerPoint slide using a team meeting can set the tone. Third leaders influence company social norms, affecting how colleagues interact and respond to security threats. For instance, if reporting potential data leaks is met with encouragement rather than punishment, reporting will become more likely. Thus, involving leaders accelerates behavioural change rather than letting them become a bottleneck.

NW Our Technology

Landscape

When improving cybersecurity behaviours, we often focus on education-based methods such as awareness sessions and training. Yet, it is vital to consider the landscape in which such behaviours occur, that is, the physical, digital, and business environment in which your employees’ function. People naturally follow ‘elephant paths’, the easiest road to their goal. To encourage desired behaviour, we should make sure that the landscape makes this behaviour easy, and the undesired behaviour challenging.

For example, think of a door that needs closing. An “awareness only” approach would involve telling your employees it is important to close it. An approach including landscape could involve installing a door closer to automate the process. Similarly, we should take the landscape surrounding cybersecurity into account. Think for instance about clear communication rather than lengthy e-mails, accessible and readable policies rather than hidden away intranet pages, and user-friendly tools such as password managers rather than awareness around safe passwords alone.

NW Our Technology2

Learning

To effectively educate your workforce, enable learning by providing essential knowledge, such as incident reporting procedures, and encourage regular practice to form habits. It is important to recognise that people learn differently, so use various channels and personalised approaches such as videos or brief reminder emails. Next generation platforms like SoSafe, already have more functionalities that fit a holistic approach like ours. Clear behavioural goals and consistent communication are essential to improve learning.

It may seem overwhelming, but…

You should embrace Human Risk Management sooner rather than later. Threat actors actively exploit human vulnerabilities, so you need to move beyond security awareness and training. Embrace measurement, and focus on leadership, landscape and learning to manage human risk effectively.


You can initiate your efforts to address the human protection layer of your organisation:

  1. Begin with a behavioural assessment. Identify areas to improve, avoiding assumptions about knowledge and behaviours. You can begin by creating a questionnaire to ask employees about their experiences with cybersecurity within the organisation.
  2. Use evidence-based methods to improve the cybersafe behaviours in your employees. Do not use e-learning alone, but also try to improve the landscape. You can begin by identifying quick wins in removing obstacles for cybersafe behaviour through a user experience test, observing employees’ interactions with your policies, such as when reporting an incident.
  3. To foster a cyber safe culture, involve your leaders in promoting cybersecurity as a shared responsibility. You can begin by equipping them with ready-made PowerPoint slides to address cyber behaviour topics.
  4. Seek guidance. Feel free to reach out to us for a discussion about where your organisation may start to grow towards effective Human Risk Management.

 

We are here for you