Education Instead of Training for Cyber Awareness - A Behavioral Science Approach
December 4, 2023 | Dr. James Norrie
With each passing quarter, the vulnerability of your human attack surface increases in this new AI-enabled cyberage. Attacks are not only relentless; they are now cheaper for criminals to execute at scale, and with more targeted fidelity and higher quality than ever before. These tactics powerfully exploit human vulnerabilities in an instant now causing more than 70% of successful breaches.
Yet security awareness training (SAT) has been available for decades now. So why is this effort failing to arrest the startling efficacy of human-factors attacks today?
Because globally, employees report most security awareness training is simply awful. And so will most security professionals if you get them in an honest moment. Rote and generic, training oversimplifies a complex behavioral problem and treats humans like the problem instead of the solution! Your workforce is disengaged, dreading their annual or quarterly dose of security awareness training as akin to a root canal. The complaints mount and pressure around a perceived loss of productivity as security awareness training is made mandatory coalesce internally into a chorus of opposition and resentment first undermines and then actually harms your program maturity.
Until now: at cyberconIQ, our Human Defense Platform was constructed on the premise that generic security awareness training has failed. What is required to succeed now is a better regime of cybersecurity education – personalized, nuanced and proven both more engaging and effective as a result – that treats humans with respect and then challenges them to become part of your corporate security solution. But before we get there, you need to understand our proprietary four step model.
It begins by deploying our patented myQ assessment to identify core personality traits around risk, reward and rule following behaviors that predictively map to the full spectrum of human factors security vulnerabilities. Just as everyone is valuable, everyone is vulnerable, just all in different ways. Based on thousands of hours of deep research and testing, we have identified and validated how to reliably measure and predict human factors security risk. And we can bring these executive and board level insights directly to your company.
By making human risk as measurable and controllable as technical risk is today, we strengthen security through improved compliance, building trust and confidence the enterprise is doing everything it can to measurably identify human factors risks and then apply effective methods to reduce and control that critical risk.
Our second step specifically evaluates existing technical controls and tools against your specific enterprise risk profile to identify areas of opportunity that are both risk and cost effective. This reinforces the value of your team’s collective efforts by establishing a measurable ROI to validate your total security endeavor today, while still identifying additional investment opportunities to improve tomorrow.
Only after these first two steps are complete do we venture into the third step of remediating the security habits of your employees one style and lesson at a time. Our multi-year curriculum maps to specific vulnerabilities by style and uses distinct voicing and examples to drive higher engagement and impact.
These proprietary educational methods instill “mindfulness” rather than simple awareness that demonstrably improve employees’ security judgement. Our platform automatically ladders up and layers on more sophistication over time, gradually improving the reliability of these new habits and bolster resilience against new attack methods. Our goal for you is a sustainable, ever more continuously effective security first culture everywhere.
Our last step extends this growing online trust into your downline supply chain to include vendors, partners, suppliers and customers. Our platform offers a range of unique third party risk assessment methods meeting or exceeding most current global and/or national security standards. As regulators increasingly demand that you extend your tactical edge to the further point of use versus control to reduce third-party risk, how can you do this effectively at scale? As a client of our Human Defense Platform, you are eligible to extend its educational power beyond your perimeter to address this important risk element by confidently ensuring your suppliers and vendors also educate their own employees in the same effective way that you do to mitigate your combined risk profiles and reduce the total human attack surface.
This strategic human factor security alignment goes well beyond training into establishing a joint program of risk education, mitigation and control that is monitored, supervised and reported on internally to executives and the board. Welcome to the new age of comprehensive management of human risk factors.
So, there you have it: four great ways to approach cybersecurity as an education challenge rather than a training solution. If we have peaked your interest and you want to learn more, please either visit our website to access a sample of our industry-leading platform, or email sales@cyberconIQ.com and we would be glad to get in touch and schedule a conversation with your security, compliance or risk teams to reduce your cybersecurity risk to benchmark low levels that help you stay safer online.