Providing Critical Data-Driven Insights and Actionable Steps for Security Professionals
July 24, 2023 - As artificial intelligence (AI) amplifies the sophistication and reach of phishing, vishing, and smishing attacks, understanding and managing human cyber risks has become increasingly vital. Addressing this, SANS Institute, the global leader in cybersecurity training, is proud to announce the release of the SANS 2023 Security Awareness Report®, 'Managing Human Risk.' Rooted in the experiences of nearly 2,000 participants from 80 countries, the report underscores the escalating stakes in human cyber risks, particularly at a time when 20% of organizations worldwide reported security incidents involving remote workers in the past year.
"The digital world is expanding rapidly, and with it, the human element of cybersecurity becomes ever more important as it evolves as a primary target for cyber threats globally," says Lance Spitzner, SANS Security Awareness Director and co-author of the report. "The report serves as a compass, guiding organizations not just to understand but proactively manage human cyber risks. By unifying data from thousands of participants globally, we've uncovered patterns and practical approaches that can empower organizations to transform their human risk landscapes."
The report provides an in-depth analysis and actionable steps for security professionals to mature their awareness programs, advance their careers, and benchmark their programs globally using the Security Awareness Maturity Model®. Notably, the study found that mature security programs, marked by robust teams and leadership support, are characterized by having at least three full-time employees in their Security Awareness Teams.
Top Human Risks: The primary threats include Phishing/Vishing/Smishing attacks; Password/Authentication risks mitigated by advanced tools; the challenge of fostering a security culture for effective Detection/Reporting; and the risk of IT Admin Misconfigurations, especially in complex cloud environments.
Leadership Perspective: As in previous years, security awareness remains predominantly considered a part-time commitment within organizations. A noteworthy 70% of security awareness practitioners disclosed that they dedicate half or less of their working time to it this year. This insight underscores the ongoing challenge of elevating the importance of continuous cybersecurity awareness in the day-to-day operations of organizations.
Compensation: For the first time, our data reveals that professionals specializing in human risk management earn up to 5% more than their peers in broader security roles. This underlines the increasing demand and value for these skill sets in the industry.
Key Action Items to Increase Program Success:
Talk in Terms of Risk: Leadership and Security Teams often perceive security awareness as not part of security, but rather as a compliance effort that has little relevance to managing risk. To help change such perceptions, focus on and speak in terms of human risk management. Human risk is far more likely to align with most organizations' strategic security priorities, gain leadership buy-in, and resonate with a Security Team. Help your Security Team members understand how you help them, and work with them to identify the top human risks and the key behaviors that manage those risks. Demonstrate how effective communications, training, and engagement is changing those key behaviors and reducing human risk. Partner with Security Operations Center, Incident Response and Cyber Threat Intelligence Teams not only to learn their work but also to show them how you can help solve their human-risk-related challenges.
Leadership Support: Dedicate two to four hours a month to collecting metrics about the impact and value of your Security Awareness Program and communicating that value to leadership. This information can include informal metrics, established key performance indicators, and even success stories to enable leadership to better understand and regularly see the value that your program is providing.
Team Size: While technical security has been a focal point for organizations, the human side of security has often been overlooked. This imbalance leaves the workforce as an appealing target for cyberattacks. It's not uncommon to find a 50-member security team with 49 focusing on technology, leaving just one person to manage human risk. This underinvestment in human-focused security contributes to the prominence of human cyber risks. We recommend a starting point of a 10-to-1 ratio of technical to human-focused security professionals, to begin bridging this gap.
"The traditional model of yearly compliance-focused training is inadequate in today's cyber threat landscape, so we've included practical, actionable advice throughout the report," Spitzner said. "From addressing the top human risks, which according to our data, involve email phishing, to tackling the common challenge of securing adequate resources and budget, we aim to equip organizations with the necessary tools to improve their human risk management strategies and help ensure that organizations proactively invest in the personnel, resources, and tools to robustly address the human dimension of cybersecurity risks."
To read the full report and benchmark your program against industry standards, download the SANS 2023 Security Awareness Report® "Managing Human Risk" here.