The Game of Managing Human Risk

 

Does 'risk management' or 'knowledge transfer' best describe your security awareness program? At the end of the day, it's more than just what people know, it's what they do that matters.

In this live stream for the Security Awareness Community Alexandra Panaretos, CSAP, SSAP joins us to share her years of experience leading human-based cyber risk and education for enterprise organizations to help us understand better what managing risk looks like and how it supports security awareness with practical hands-on applications.

Alexandra has worked in the human cyber risk space for the last 13 years and has successfully implemented executive personal security, operational security planning, insider threat and incident response programs, and security awareness, communication, and education strategies for Fortune 50/100 companies and other global enterprises. She holds an OPSEC Manager II certification from the U.S. Army and the Joint Information Operations Warfare Center (JIOWC).

Security Awareness Programs vs Managing Human Risk

The underlying theme to the conversation was helping organizations shift their mindset from security awareness being a vehicle for knowledge transfer - though education indeed is a critical component - to managing human risk as part and parcel of everyday operations.

"Awareness was misnamed from the start and there's always been a lot of confusion, a lot of misconceptions about what security awareness is. Security awareness as a whole was intended to make people aware of the threats and the risks that they face living and working in a digital world.

What it has become and is evolving from was more of a compliance-driven exercise where we had the annual training, we have the phishing assessments and it seems to have been mostly based on knowledge transfer...When you look at people process technology, people of that triad have been ignored for many many years.

So managing human risk isn't necessarily looking at what people know but looking at what people do because there is often a disconnect.

When you take what people do along with the processes, the technology, the tooling that are involved in an organization, it's looking at where in a process, where in a situation, is a risk of compromise or a threat most present? Where is that moment where things can be fine or go very wrong - and address that risk. Is it something that is controlled solely by what someone does or does not do? And that's where awareness is shifting to...it's not so much pushing knowledge at people but streamlining human behavior instead of fighting against that tide."


Alex emphasized that to manage human risk, you're putting on new lenses, so to speak, to observe where in a process can you remove that element of choice to take the risk out of the equation.

What Does Managing Human Risk Look Like?

Alex shared an excellent illustration from her work with a client whose accounts payable department was experiencing a lot of fraudulent activity. This was in spite of having excellent training around a callback procedure as a main control and staff indicated an understanding of the procedures.

Upon taking the time to sit with the team through their regular day it was noticed as they recived their change notification, they'd move the queue to the screen and move on to the next. When questioned as to when they did the callback procedure during the process that was when the point of highest risk was identified - employees simply being on autopilot and moving through their lists. 

Alex's team worked with the software provider of the tool they were utilizing to create an additional pop-up whenever critical account or routing fields were clicked which then prompted the employee to confirm they had made vocal contact with the account owner. After that prompt then they had to complete the details of the callback before they could continue on with the rest of their procedure.

By identifying the moment where the risk was most present and inserting a prompt to direct certain behavior the company was able to stop a significant number of fraudulent attempts and greatly improved security for that department.

How To Start Managing Risk?

Know your organization - As with any solid endeavor in cybersecurity, before you get started you need to have a good understanding of the business you are working with. 

Do you understand how your business works?

How many people do you have?

Are they all working on a particular schedule?

Are there multiple shifts?

Are there different job rules?

Are you geographically dispersed?

Do you know when the busy season is?

Do you know if there's a particular time of day that is very chaotic?

Alex encourages professionals to really get to understand their organization. Also, she recommends to find the "risk person" - they may sit in legal, or perhaps in audit or another department within the organization but somewhere is an individual(s) familiar with business risks for the organization.

Ask them what the largest risks and threats are facing the business and then look at that list and look at how many correlate to people's behavior and determine what/where could someone have a significant impact. 

Once that is mapped out, speak to your security team and ask them a similar question "what are we seeing as far as threats and risks that are facing our organization?" And outside of phishing - which will always be a given - gather the insights they provide and see what else is presenting itself as an issue. 

The insights from these two perspectives will enable you to begin to look critically at operations involved in those 'hot spots' and customize solutions for each.

Understand the business. And that is a disconnect. Where a lot of security teams struggle is they think they know what's important to the business. They think they know how the business actually operates. When in reality, when we start doing tool rationalization or we start looking at network activity, all of a sudden we find something, some piece of software or some activity we didn't know about.

 

Evaluate Communication Channels  - Consider the different venues for getting messaging out - is it through email? newsletters? Is it all virtual or hybrid? Are there physical signage opportunities? Is the work area a secure environment? Can visual elements be incorporated into messaging?

Understanding the variety of messaging opportunities will help as you work to craft the most effective channels for your needs. 

Virtual users - Consider how to get their attention over the rest of all of the other distractions that are happening at home or wherever they may be working

In Office staff - Consider the real estate within the building is to put messaging that is not expected. One excellent idea Alex shared was for one particular workplace they used giant floor decals with graphics because it was unexpected and was at key entry/exit points and every quarter the messaging was switched out. 

In another context, a simple but effective solution was utilizing a sign with giant red text beside the exit with "Did you log out of the machine you logged into today?" - the effect was several people daily double-backed to ensure they had followed that procedure. 

You have to meet people where they are and realize it's not necessarily making people know more, but rather working with the behaviors that are present and the behaviors that need to happen to minimize the impacts of those threats and risks.

Also, pay attention to the nuance of language - the smallest change can have a huge impact.

Alex illustrated the point with an instance where one company exchanged one word on a poster encouraging people to report phishing that originally read, "If you see suspicious activity, report it at [email]" to instead use the word 'notify'...."If you see suspicious activity, notify us at [email]". The SOC noticed a substantial uptick in reporting after that shift in language - so it's important to remember the power of language and connotations behind different words. 'Report' felt too heavy while notifying carried a more positive tone.

Walk the Floor - Talk to People! - Alexandra encourages those getting started to not be afraid to reach out to people in different roles if they're unsure who to speak to. "If you don't have a great relationship with a lot of the middle managers in various different areas, talk with someone in HR and say, 'this is who I need to talk to and this is the plan that I have. Who would you recommend that I speak with?' And it might be an employee relations person; it might be that you go into the factory each shift and just see how people work if that's where you're at. And then from there look to see how to reach the people where they are

And most importantly, listen. Creating an open line of communication with the various business units is critical, especially when it comes to frustrations they may have in particular processes. This opens up the opportunity to find a joint solution if possible, and when regulations make a simple solution less accessible, greater understanding about the issue and restrictions being mandated can also be given, "you can't assume what the other side of the coin is looking for"

How Can We Measure Our Success in Managing Risk?

There are many ways to demonstrate success in the areas of managing human risk that may not be readily obvious at first in our data-driven world. Alexandra encourages human risk professionals to consider engagement as a metric.

"Engagement is a great thing to look at - are people being proactive and reaching out to the security teams before bringing on a new vendor? If a particular process doesn't exist at your organization are the staff asking you to teach them more about this particular topic?

Around the holidays, we had one client who started noticing kind of an uptick in their Q&A mailbox about how to secure devices for their children. So the security team did a webinar on all of the privacy settings you don't realize you need to check. It was one of the most well-attended because they listened to what people were asking for.

All of these engagements, Alexandra notes, are key indicators of success and a positive shift in the organization's security culture as a whole.

Security Culture = Permission to Ask

Speaking of culture, it's a tricky term to nail down. But how Alex likes to present it to both leadership and security teams is in a form of a question - "Does your organization give people permission to ask the question?

Meaning, are people allowed to say, 'I may have done this incorrectly, could you verify, tell me the right way to do this?'

Overwhelmingly, when Alexandra asks organizations how they feel about their security team, almost without fail it's one of insecurity and feeling belittled. She stresses to security teams the importance of being mindful of their employee's perceptions and to work to change that feeling to one of support and acceptance - that no question is 'too dumb'.

"You have to be mindful that this is not everyone's first language as to how to live and operate in a digital world...You're not going to get people coming to you proactively to look for solutions, to let you know about problems if they are fearful of what's going to happen to them for doing so."

It's critical to create a two-way channel for communication and ensure that the feedback that flows from employees to the security team are being followed up on and truly heard as she notes, "People will tell you exactly what they think, what they found value in...and so many times we as security professionals struggle with getting out of our own way."

How To Talk With The Board/Leadership About Human Risk

"One of my favorite 'win' themes for talking with leadership of any level is 'we can't protect against what we don't know and we don't know if the conversations aren't happening'. So there again, it's showing. And a lot of these are metrics you can pull right now:

How many business units, how many hits to our mailbox?

What have those numbers looked like for the last six months?

What is the intranet page to the security team? How many hits are we getting?

Look at help desk tickets, the triage - What are people calling in about? What are we seeing repetitive needs for? Is it people forgetting passwords? Is it people getting locked out?

Whatever it is, look at that trending data and that point in time - then start your outreach."

Additionally, she emphasizes when getting started, "Do not start with training. This is one of those 'perception is reality' for your business audience. Do not start this with training. Start it with a conversation.

We know that now we are living in a digital world - 50% of our lives or more lives in our pockets. That is very hard. It's very hard for people to draw a tangible association to threats and risks on a device when they don't see what's happening after a click when they don't feel a primal instinct of something is wrong. So start with the outreach of what would you like to know. What do you have questions about? We're here to help. And it's not always about policy. It's not always about the process.

A lot of great positive momentum quickly is just making themselves available, making the department as a whole approachable for a lot of the world.

You're just building that relationship so then you can learn what people are asking about, learn what different risks or threats might be out there that you aren't aware of until you talk.

And then you take that and you take it back to your board and say, here are the conversations we've had over the last six months, and these are the themes that have emerged, these are the risks, the threats, the tooling that we need to have for this type of impact.

Tell your story. The who, the what, the where, the when, the why, the how.

If you can tell a story around what you're doing, leadership will buy in, but they need to understand the context of it." 

Alex's Points To Remember

Training does have its place, but that should not be the backbone of your program. That should be a supporting element. Communication and outreach is where [managing] human risk thrives.

Language choice matters. Make it count and change it up.

Please use humor, obviously.

Know your audience, do your own research, know culturally what is appropriate both from a worldview as well as corporate culture.

---

More Resources on Risk Management

Connect and learn more from Alexandra on Managing Human Risk

What is Risk Management: Back to the Basics

Security Awareness Done Right

Security Awareness Training Highlights PDF