Human Factor Cybersecurity: A New Approach for Business
Cybersecurity isn’t just for cybersecurity professionals or people who understand code. Employees at any level can let malicious actors into a company network. Human factor cybersecurity is an approach to help every employee keep your organization secure.
See 4 Levels of Human Factor Security with Roy Zur for a complete transcript of the Easy Prey podcast episode.
Roy Zur is the founder and CEO of ThriveDX for Enterprise, a global education company for digital skills training and addressing human factor cybersecurity training. He is a fifteen-year veteran of the Israeli Defense Force, where he served as a Major, and is an adjunct professor in risk management and cybersecurity. In addition, he is the founder and chairman of the nonprofit Israeli Institute for Policy and Legislation and a member of the Forbes Business Council.
Roy started his professional career in the Israeli Cyber Intelligence Units. For ten years, he served in cybersecurity and intelligence positions. One of his main responsibilities was “reskilling” cadets into cyberintelligence operatives.
Israeli mandatory military service starts at age 18 and lasts for three years. The only people the Cyber Intelligence Units could bring in were new cadets fresh out of high school. Roy’s challenge was to take these cadets from “zero to hero” in cybersecurity as quickly as possible.
You could actually take someone with no experience, and in a matter of 3-6 months, turn them into a cybersecurity professional.Roy Zur
It was difficult, but it was possible. Through accelerated learning concepts and bootcamps – high-level, intense, immersive training – Roy could take a new cadet from zero knowledge about cybersecurity to a cybersecurity pro in three to six months. It worked so well that this cyber unit in Israel is one of the leaders in cybersecurity globally.
Of course, part of the program’s success was that it could screen cadets. They only trained ones with the right attitude and aptitude. What they looked for wasn’t coding or hacking skills. The best candidates were quick learners and curious. They liked to investigate, ask questions, and get to the bottom of things, and could keep pursuing challenges even through tedious parts.
From Military Training to Corporate Training
Turning new recruits with no experience into cybersecurity professionals in such a short time led Roy to pursue cybersecurity training after his military career. But training in the corporate world is a much different environment than in the military. While military cadets are required to be there twenty-four hours a day, employees at a business have other responsibilities and go home at the end of the day.
One of the most important concepts for Roy to teach cybersecurity to corporations is microlearning. Microlearning is a very short, focused training that teaches one specific idea or tool and doesn’t take much time. It takes the work environment into consideration. Employees have limited time, other responsibilities, and a life outside of work. He has also learned that it’s helpful to teach different concepts to employees in different roles. An application developer needs different cybersecurity training than a marketing representative, for example.
Some people, though, prefer to take several months and immerse themselves in cybersecurity. Roy and ThriveDX offer bootcamps for people who want to do this. Many people who are unemployed, between jobs, or shifting careers prefer a full-time bootcamp. Others prefer only part-time. Either way, the programs are very successful. Doing something day after day for months changes people’s mindsets, which makes the information and tools stick.
The Biggest Misconception About Cybersecurity
Roy was recently a keynote speaker at the National Initiative of Cybersecurity Education (NICE) conference. The theme of the entire conference was “Demystifying Cybersecurity.” People think cybersecurity is complex, technical, and intimidating. They think it’s only for those who understand technology and know how to read code, not for ordinary people.
There is something around cybersecurity that people are afraid or deterred from … but cybersecurity is much more a business issue, or a human factor issue than a technological challenge.Roy Zur
At its heart, cybersecurity is about protecting assets, networks, people, data, and secrets from people trying to steal them, change them, or spy on them. The mindset is much more business than technical. Human factor cybersecurity requires understanding the motivations and mindsets behind the attacks. Roy has seen successful cybersecurity professionals who started as veterans, law enforcement officers, and even financial analysts. The field is open to many different people.
Human Factor Cybersecurity
Cybersecurity as a field has different categories. For example, network security, cloud security, and endpoint security. Each of them uses different tools to find, solve, and patch problems. At ThriveDX, human factor cybersecurity is its own category.
When you think about cybersecurity and eliminating the threat, it’s not just about these technologies. There’s also the human element.Roy Zur
Different groups within an organization have access to company data, code, or networks, or are actually managing security. The key to identifying and solving problems isn’t in a technological system. It’s within the knowledge, skills, and capabilities of the employees who use these tools every day.
Fixing a security vulnerability in a system is called a patch. Human factor cybersecurity is about patching the human brain. When you patch a system, that’s not the end of it – it keeps needing new patches as new vulnerabilities are found and hackers try new methods. The same is true of the human brain. Part of human factor cybersecurity is “patching” the human brain with new knowledge as technology and threats change.
Human Factor Cybersecurity and Risk
The human factor is the biggest risk for the organization. You can have the best security system in the world, but it can’t protect your business from an uninformed employee letting a cybercriminal in. That’s why considering human factor cybersecurity is essential.
ThriveDX starts by dividing everyone in the organization into four main groups.
This is the biggest group. It includes anyone in the organization that has access to any system – including a company laptop, computer, or mobile device. In most modern organizations, this will be 95% or more of the workforce.
This group needs to be “patched,” or trained, or things like phishing, social engineering, and general awareness for how hackers and other malicious actors are targeting them. They also need to be trained in a way that will change behavior. Having awareness, or knowing something could happen, won’t necessarily change how people act.
Executives are not necessarily technological, but their decisions have a huge impact on the organization. Finance, risk, compliance, and supply chain executives all make decisions that affect security.
One thing I hear from executives … they are in this situation where they know cybersecurity is a huge issue, but they feel they lack the knowledge or skills to even ask the right questions.Roy Zur
For this group, the goal is to demystify cybersecurity. They need to have the information to help support other groups. They also need to have enough understanding of cybersecurity and human factor cybersecurity to be able to ask good questions and understand what the cybersecurity team tells them.
This group is comprised of employees who work on the technology involved in your organization. They aren’t cybersecurity professionals, but they need to know both technology-based and human factor cybersecurity because they deal with things that impact the organization’s cybersecurity. An example is engineers and developers. They develop the code for systems for the company or for customers. Knowing about secure code and application security is critical for them because otherwise they can leave cybersecurity vulnerabilities.
This is the smallest group, and one that should already have some foundational skills in code, technology, and human factor cybersecurity. But the tools and threats in the cybersecurity field are changing all the time. This group also needs training to keep their knowledge and skills updated.
Teaching the Four Groups
Each of these groups must get the necessary training, skills, and knowledge to perform their roles. But each group needs different knowledge and skills. And each group does best with different delivery methods. A developer might want to see the code, while a cybersecurity professional might want hands-on skills training, while an executive might prefer a live workshop with a moderator.
In the world of education, spending more time on a subject is better. In business, less is better. The less time you spend on training, the more time employees have to do important tasks for the corporation. There is always more to learn about security and human factor cybersecurity. This is where Roy comes back to the accelerated learning idea. If you can identify and teach the few essential ideas and concepts, people can learn the rest as they go.
A Smarter Training Method
To improve cybersecurity and human factor cybersecurity training, think beyond awareness. Most organizations require three to four hours of training annually. Some do more, up to ten or twelve hours. But this training usually consists of watching an awareness video and doing a quiz. That is not effective training, for two reasons.
One reason is that you don’t know if it’s the right training for the individual. Requiring the same training for everyone is unlikely to meet the needs of any of the four different groups. The second reason is that employees aren’t emotionally involved. Nobody wants to watch videos and take quizzes. They will do it for compliance, but they won’t pay attention or change their behavior.
A smarter way to teach people is to do training that is led by a real-life event. For example, a simulated phishing attack. The employees aren’t aware that it will happen, and they will be sent a phishing email. Based on the results, different employees get different training based on the mistakes they made. If the phishing attack is about clicking links, the employees who clicked could be transferred to an online training about why clicking links is dangerous and what could have happened if that was a real phishing email. It’s more effective because there is the action and an immediate reaction. The employee is emotionally engaged because they realize they just made a mistake and it could have had huge consequences.
Core Human Factor Cybersecurity Learning for Each Group
In the educational world, there’s a concept known as Bloom’s Taxonomy. This is a framework that defines levels of learning and education that someone can reach. Starting from the lowest level of learning, remembering, the taxonomy goes through understanding, applying, analyzing, evaluating, and finally creating. When it comes to learning human factor cybersecurity, each of the four groups needs to reach different levels.
This group doesn’t need to go very far up the Bloom’s Taxonomy ladder. They need to be able to remember the basic concepts and the do’s and don’ts. In addition, they need to be able to understand the basic concepts involved and why they are important. They can learn more if they are motivated to do so. But remembering and understanding are the bare minimum for this group.
Executives and Decision-Makers
This group needs to remember and understand as well. But they also need to be able to apply. Their decisions are affecting the organization and its security. They need to be able to make decisions based on what they know.
This group needs to be able to remember, understand, apply, analyze, and evaluate. They need to be able to apply their knowledge to the technologies they work with. In addition, they also need to be able to analyze and evaluate the code, network, and applications they work with to spot vulnerabilities.
This group needs to master all levels – remembering, understanding, applying, analyzing, evaluating, and creating. It is important for them to be able to use existing knowledge to analyze and evaluate the company’s current state of security. But they should also be able to use that knowledge to create new ideas and concepts to improve technological and human factor security.
All Businesses Should Take Cybersecurity Seriously
The level of awareness and concern about cybersecurity and human factor cybersecurity varies based on industry and geography. Some countries are generally behind on cybersecurity. Some industries, like finance, healthcare, and government, are highly targeted and very concerned about it.
As we see more breaches and cyberattacks, more executives are understanding the importance of cybersecurity. Cybersecurity and human factor cybersecurity is important for small businesses, too. By losses versus total revenue, small businesses are most affected by cyberattacks.
On average, small- and mid-sized businesses are actually affected by cyber breaches even more than larger businesses.Roy Zur
Regardless of industry or company size, every executive will face a cyberattack or breach at some point in their career. It’s not a question of if, but of when. Some companies are trying to mitigate risk by buying cyber insurance, but many cyber insurance companies are requiring some basic cybersecurity and human factor cybersecurity measures before they will provide a policy. Regardless of whether companies are actually taking cybersecurity seriously, they definitely should be.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
You’re swiping on an online dating site when you come across someone attractive. You immediately swipe right,…[Read More]
The world’s most anticipated football event is here, and it doesn’t matter where you live – if…[Read More]