Home Careers
  • Follow Us
Contact us Locations Search 732-847-9600
Aspire Technology Partners

From Awareness to Action: Evolving Security Through Human Risk Management

By Nick Kelly, Senior Security Solutions Architect

For years, risk management strategies have often focused on user behavior as a key factor in organizational security. However, this perspective can be oversimplified. Users are simply not all the same, and their training can’t be one size fits all.

How does your organization and your security team gather user thoughts and engagement? Are your users passionate about security in the organization? Do they understand it? Do they know their role in increasing or decreasing risk?

Engaging users, learning about and from them, and translating that knowledge of their mindset and behaviors provides context for the development of your security practice. This is not just security awareness training– it’s Human Risk Management (HRM).

Beyond Security Awareness Training

Security awareness training (SAT) can be seen as valuable by an organization and its users. It can oftentimes be seen as mandatory, bland, and not relevant to others. SAT that takes a one-size-fits-all approach may not resonate. Users may feel compelled to check the box if completion is the only metric of success. Completion rates alone don’t tell the whole story. Are users taking the training simply to get it done, or are they interested in making the organization safer and more secure?

HRM should be both relevant and engaging. The content should be customized to fit the user’s role, and to educate them on threats and risks they may encounter. By taking a modular approach, training can be provided in learning paths. Give your users the tools and knowledge to become security champions.

Success Beyond Just Pass/Fail

Traditional SAT is viewed as a task. The organization may have compliance obligations to deliver training to users, but that doesn’t mean the material is interesting or compelling. The users simply must get it done. As a result, many organizations deliver annual training with minimal or no updates. Users may feel exposed to just more of the same-old, same-old videos and quizzes.

Users are human beings and providing dated or irrelevant content doesn’t motivate people. It can reinforce the negative stigma of failure.  The reward for completing a training or passing a quiz is often far less than the consequence of failing. Users who fail a quiz or don’t complete training are often enrolled in additional training. The result is more work, lower productivity, and less motivation. Consequently, users may feel less likely to participate in any related activity.

These users can’t be ignored. Instead, customized content that is engaging and impactful can be developed to help high-risk users. A combination of simulations, modules, and nudges toward secure behavior can be used to prevent mistakes before they happen.

Nudges and ongoing, customized content are excellent methods of keeping security top of mind for users. Reminders for simple things like locking a desktop or using a password manager can help the overall risk and exposure of an organization.

Security is not a blip on the radar or a single day on the calendar. It needs to be built into your users’ mindset and behaviors.

Measuring Culture Change

Training completion is an important metric, but it does not tell the whole story. The goal is to educate and empower users. Using campaigns, phishing simulations, and nudges, users can train, test, and triumph over threats.

How can you measure culture change around security in your organization? Risk scorecards and feedback provide information on several factors. These include security impact on productivity, users’ willingness to communicate with security teams, reporting a phishing or social engineering attack, and confidence in their ability to work securely.

One useful approach to improve the users’ experience is to gamify the training. Provide positive feedback and scores for training completion. Offer voluntary trainings to users who want to increase their security knowledge and change their behavior. Measure their engagement, knowledge, and confidence. Host a leaderboard for top learners or challenges between departments.

Read their comments and understand why users were successful or unsuccessful in training participation. Reviewing this feedback helps you craft and deliver personalized learning paths through engaging, conversational training experiences.

Security Starts with People

Customized, impactful, and engaging training can be a powerful tool to help your users recognize, react, and respond to risk. Security stays top of mind, embedded into the fabric of every business decision – consistently and proactively. These changes can change your organizational culture, activating your users as human firewalls. They transform from your biggest risk into your strongest defense.

Learn more and schedule a demo at https://www.aspiretransforms.com/aspire-cyber-iq/

From Awareness to Action: Evolving Security Through Human Risk Management Featured Image

Subscribe

Get the latest news from Aspire by subscribing to our blog.

Get In Touch

  • This field is for validation purposes and should be left unchanged.
  • Facebook
  • Twitter
  • LinkedIn
  • Email
  • More Networks
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap