On Thursday 5th March I was delighted to deliver the opening talk for CyNam 20.1: The Human Element in Cyber Technology at the Cheltenham Racecourse. At Cygenta we are obviously massively passionate about positively empowering individuals to embrace cyber security and therefore I couldn’t not put my hat in the ring to deliver a talk!
During this talk I discussed:
- a shift from promoting a human firewall to a more empowered human sensor network
- how organisations can measure the development of human sensors
- how this ties into social proof
- how to grow a human sensor network across an organisation
A lot to fit into 10 minutes, but I do love a challenge! Below is a brief outline of what I covered.
The concept of the human firewall within security awareness has traditionally been about prevention. We know that this is not the most effective way to engage individuals. Firstly, when it comes to cyber attacks, you can’t prevent every incident, this is a totally unrealistic ask on individuals. It also doesn’t prepare people for what do when something goes wrong and there is an incident. In their minds, they were told to prevent and they’ve failed, not very empowering if you ask us! Finally, focusing solely on prevention doesn’t give organisations any opportunity to learn about the risks they’re facing. Which departments are most at risk, what attacks are they seeing, who is the most vulnerable?
This is why we’re promoting human sensors. The concept of human sensors suggests that individuals know how to detect and respond to incidents. They understand the indicators of compromise and feel empowered to approach the correct individuals or platforms to report incidents. This ultimately minimises the fear, uncertainty and doubt (FUD) they may have when they think an incident has occurred. Ultimately, the sooner an organisation has detected that an incident has occurred, or nearly occurred, the more likely we are to mitigate the damage and communicate advice to other individuals.
Previously we have been unable to measure whether a human firewall exists within our organisations. We can, however, measure the number of human sensors, this is a really positive metric we can report on and celebrate! Phishing is the perfect tool for testing and reinforcing human sensors. Here, instead of reporting on the number of people who clicked on the link, we’re reporting on the number of people who reported the phish. The key here is to then celebrate them. This is the behaviour you want to see individuals doing!
This ties in really nicely to the phenomenon of social proof, whereby people mimic the behaviours around them when they don’t know what to do. By positively recognising good behaviours you’re able to draw on social proof and encourage people to mimic the behaviours that you want to reinforce.
This doesn’t happen overnight, but if you’re looking to grow a human sensor network across an organisation a security champions programme can certainly help. Security champions (sometimes going by other names like ambassadors) are people who are not part of the security team but represent each department in your organisation. These are people who are already your human sensors and who are really passionate about helping to change the security culture in an organisation. Security champions give invaluable scalability, engagement and information to you. They help to ensure that the correct security messages are delivered and ensure that information on what has worked and not worked is fed back. For more on our approach to security champions, check out this blog post including a talk that Jess gave on the subject at Bsides London 2019.
As you can tell, at Cygenta our approach is all about positive messaging. We help our clients to build a confident and empowered culture when it comes to cyber security. This shift to a positive human sensor network can dramatically improve your response and resilience capabilities.
If you’d like to find out more or have any questions, please get in touch.