business man and woman SANS

A key requirement to a mature security awareness program is identifying your top human risks and focus on just those risks.  Far too often organizations randomly pick their topics based on the latest attacks they see in the news or attempt to eliminate all human risk by covering a myriad of topics.  As a result, employees are bombarded with numerous, haphazard behaviors they must follow, resulting in what is known as cognitive overload.  In other words, you dump so much on them they simply forget it all.  The key to changing behavior is focusing on as few behaviors as possible.  To effectively do that, you have to understand and prioritize your top human risks.

Several years ago I did a blog post on the top 7 human risks. My goal was to help organizations understand the need for and prioritize their awareness efforts. I'm updating that blog, but this year I'm focusing on what I consider to be just the top three human risks.  I'm finding more and more organizations are struggling with limited time and resources.  To be successful, many organizations need to be realistic of their limitations and focus on the fewest behaviors possible that have the greatest impact. I'm basing these top risks on what I'm seeing from over 1,000 customers and the most recent Verizon DBIR.  These three risks are where you most likely want to start.

  • Phishing: No surprise here.  Bad guys are human, which means they will take the path of least resistance.  As long as phishing works cyber attackers will continue to leverage this method.  I'm also including in this category attacks such as spear phishing and CEO Fraud.  The behaviors we need to develop are making sure people know the indicators of a phishing attack, what to do when they detect such an attack, how to report such an attack AND feel comfortable reporting said attack.  Security teams often forget the last two.  Remember, we are not only developing the Human Firewall but the Human Sensor, which is critical especially for attacks such as spear phishing or CEO Fraud where most technical controls fail.
  • Passwords:  Security professionals often think password complexity is the key challenge when it comes to passwords, it's not.  The problem is how people USE their passwords.  In other words, we need to make sure employees are not sharing passwords with their coworkers, that they use a unique passwords for each account, that their computers are not infected with keystroke loggers, and so on.  As the Verizon DBIR repeatedly found, the holy grail to solving the password challenge is two-step verification.  Many organizations I'm working with are finding this is actually easier with the younger generation as millennials are often already using it for their Gmail or other personal accounts. Oh, and please, please, please do NOT have your employees change their passwords every 90 days unless you really have a good reason.  Remember, every behavior has a cost and resetting passwords is a big one.  Ultimately, our goal should be to make passwords as simple as possible employees.  That is why I am such a huge fan of passphrases and password managers.   To learn why we need to make security easier, especially passwords, check out the BJ Fogg Behavior Model.
  • Accidental:  For some reason security professionals mainly view human risk through the lens of deliberate attacks.  Remember, we are managing human risk here, not just the threat of cyber attackers.  For me the two biggest examples of accidental are lost devices (Verizon DBIR reported you are 100 times more likely to loose a device then have it stolen) and email auto-complete (you know, you meant to email work documents to Bob in accounting, but accidentally sent them to Bob, your kid's soccer coach).  Some key behaviors here are whenever you are traveling be sure to check you always have your mobile device (such as when leaving a taxi or train, or what I call the butt check), make sure your mobile device has a passcode, and always double check the TO section of an email before sending it.  These three very simple behaviors can have a dramatic impact at helping you manage your organization's human risk.

Obviously every organization is different, and so to may be your top risks.  The key takeaway here is for a truly mature awareness program you need to understand and know your top risks and focus on as few as possible.

To learn more about how your organization can identify and manage it's top human risks, check out these upcoming webcasts, summits and two-day courses.