A key element to managing human risk is first identifying, prioritizing, and measuring those risks. Traditionally, measuring risk has focused on technical risk, such as vulnerability scans or penetration tests of operating systems, applications, and network. However, we now need the same ability to measure vulnerabilities in people and culture. Unfortunately, we cannot simply fire up a vulnerability scanner. Instead, we need to interact with people and measure things like their knowledge, attitudes, and beliefs of key security behaviors and company policies. In addition, we also need to measure more quantitative elements like what data are employees handling, how are they handling that data, and who are they sharing it with. To do that, we use tools like knowledge assessments and surveys. Since these tools takes peoples’ time, leadership can be resistant to such methodologies. Here are some approaches you can take to gain leadership support.
- Selling Human Risk: First and foremost, leadership needs to understand the WHY of what you are doing. It’s easier for leadership to understand and prioritize technical risk, such as vulnerabilities in operating systems and applications, as this is a challenge they have been dealing with for well over twenty years. Also, it tends to be more qualitative, visual and easier to understand. However, it can be harder for leadership to understand the concept of Human Risk. Help your leadership better understand that cybersecurity is not just about technology but people. The behaviors your employees exhibit and the policies they follow, especially when handling sensitive data, are key to securing your organization. Once leadership understands why managing risk is so important, the next step is measuring your human risk.
- Human Resources: If you will be doing any type of survey, such as surveying people’s attitudes towards security or determining the type of data they handle, you will most likely want to use a survey. The moment the word survey comes out of your mouth your very next thought should be “Human Resources”. HR are experts at and often the gate keepers of any type of survey to employees. First of all, HR departments are often responsible for tracking or measuring an organization’s overall culture, using tools such as Engagement Surveys. As such they not only understand how these methods work, but also often have the processes, policies, and technology to support surveys. We highly suggest approaching HR first and coordinating with them on any security surveys you are considering. Ask them what type of surveys do they support, do they require certain formatting such as use of the Likert scale, how many people can be surveyed, and how long can the surveys be. Another idea would be to see if you can add your security questions to any existing survey that HR plans on rolling out, instead of rolling out your own security survey.
- Short: When it comes to assessing people, time is literally money. Yes it would be great to ask all your employees 30-50 questions, but sometimes you are simply limited to as few as 3-5 questions. Keep any type of assessment or survey you are deploying to five minutes or less. The more time it takes for people to complete the survey, the less likely you will get support. The key here is when you are developing survey questions, don’t start by developing the questions. Instead, identify, document, and prioritize what it is you want to know, then have that drive the questions you will ask.
- Privacy: Often privacy can be a concern or perhaps even a blocker. In most cases, you can gain the insight you need without knowing any individuals name. You most likely just need to track results by role, department, and or region. We are attempting to identify human risk at the group level, not the individual level. As such, you can most likely capture all the data you need without asking for names. Instead, ask general demographic questions such as their role, the department they work for, or how long they have been at the organization.
- Statistical Sampling: Just like in most security assessments or penetration tests, there is no need to survey or assess everyone in the organization. Simply assess a small percentage of your organization, say 5% or 10%. The key here is to make sure your random sampling represents the entire organization.
To learn more about measuring human risks, behaviors and organizational culture, consider taking the five-day SANS MGT521 Security Culture course for senior Security Leaders.