Recently, LastPass, a cybersecurity company that sells password management software, suffered a cyber-attack that compromised the security of over 30 million individuals. Before that, it was the messaging giant Twilio, whose breach put over 75 million users’ data at risk. DoorDash, the food delivery service, was also a victim of a recent breach that exposed the personal information of its 4.9 million customers. The source of these incidents all have one thing in common: avoidable human action.
In 2022, almost $2 billion was spent on cyber-awareness training with the goal of greatly reducing the number of breaches that rely on a human factor, also known as accidental insiders.
Yet, according to Verizon’s 2022 Data Breach Security Report, 82% of successful cyber-attacks continue to involve a human element. Now, generic, one-size-fits-all security awareness training programs are under fire with more companies looking at behavioral-based training to develop a more resilient and security-aware culture.
“Most awareness training options available today were developed about ten years ago with a focus on compliance,” explained Doug Glair, Director of Cybersecurity at ISG. “They just don’t get to the root of the problem. We need to be concentrating on shifting the way people behave and that starts with changing the culture.”
At the heart of the issue is that the cybersecurity industry has long been focused on technology to solve its challenges, but the tide is turning.
“Until a few years ago, the fear of cybersecurity was addressed by backing up a dump truck full of cash to buy the latest and greatest technology,” added Glair.
Despite increased spending, the number of breaches and the cost associated with them continues to grow. According to the FBI’s latest Internet Crime Report, cyber-related complaints have increased by more than 180% over the last five years, resulting in $18.7 billion in losses.
“While funding is still needed, what we know now is that technology is only part of the solution, you also need resilient processes and a cybersecurity awareness culture,” said Glair. “CISOs and cyber executives need to be looking to redirect some of their spend to awareness training programs that can provide an ROI.”
Given 82% of successful cybersecurity attacks involved the human element, it is a 100% statistical probability that every employee will eventually face some form of threat and will need to not only properly identify it but know how to best act upon it.
Missy Lawrence, a Principal Consultant with ISG who focuses on applying neuroscience to technology challenges, sees psychology as the key to unlocking the potential of cyber awareness training. She believes that people have to be seen as part of the solution and not part of the problem.
“You can’t change cultures until you change behaviors and you can’t change behaviors unless you understand how people think,” said Lawrence.
Lawrence says it’s natural for technologists to focus on their domain competency and to view human psychology as an afterthought. However, that oversight allows cyber-criminals to thrive because they use the dynamics of human behavior to their advantage.
“Cybersecurity professionals don’t know what makes the average person susceptible to cyber-threats,” said Lawrence. “Cyber-criminals hope to reach people when they are stressed or emotional because it clouds their judgment.”
This phenomenon, which Lawrence describes as an “amygdala hijack,” explains why phishing is such a successful attack vector. The amygdala is the part of the human brain responsible for the “flight or fight” response and makes people react to events without thinking them through.
“Imagine that your brain is like a fist, where your fingers cover your thumb,” explained Lawrence. “The amygdala is the thumb and you can’t move it. However, if you’re juggling multiple tasks or dealing with strong emotions, it’s the equivalent of lifting a finger or two. When all the fingers are up, the amygdala is free to operate and that’s when we make poor decisions that can lead to security breaches.”
Social engineering tactics work because they use personalized content to target specific personality profiles, similar to how Netflix or YouTube tailor suggestions based on viewers’ past behaviors and preferences.
“Successful cyber-criminals present content that speaks in a voice and using a style that resonates with a victim’s personality,” said Dr James Norrie, CEO of cyberconIQ, a firm that provides behavior-based cybersecurity training. “We’re interested in what triggers someone to be vulnerable in the moment.”
By understanding individual behavioral traits, companies can provide personalized training that helps employees understand themselves and allows them to react better in situations that could cause a breach.
“Every style is vulnerable,” said Norrie. “We use a personalized curriculum to help people understand how they can become vulnerable and teach them how to protect themselves and their company.”
This personalized approach has generated significant success, even in sophisticated business environments. Before ISG began implementing behavioral-based cyber-training programs for its clients, they decided to run themselves through the training first.
“We are a very technology-savvy company and we still saw a 40% reduction in vulnerable behavior after taking the personalized, personality-based training,” said Glair. “So even for us, we were able to see an ROI.”
According to Glair, a company will never be able to train every person to spot every threat. That comes down to the sheer volume of novel threats being created. In fact, in the first half of 2022, SonicWall detected 270,228 never-before-seen malware variants. That’s an average of 1,500 new variants per day.
However, new personalized training which combines machine learning and behavioral science can teach people to see patterns or architecture that are commonly part of a threat. Just as important, it changes the way people respond to a threat.
“I call it cyber-intuition,” said Lawrence. “It needs to be second nature, just like our instincts. It requires humans to know themselves and understand their threat styles.”
Glair and Lawrence say that companies are likely to continue to see breaches caused by human errors escalate in number and cost until executives view cybersecurity as a business problem, not just an IT problem. They have concluded that by making investments in behavioral-based cybersecurity training, companies are more likely to build a security aware and ready culture. Thus, creating a tipping point for progress in the battle against security breaches.