“You Can’t Patch A Human Being”: How Behavioral Science Can Secure The Workplace

Mistakes are an unavoidable part of being human. Human beings are one of the largest unsolved problems in cybersecurity and human error is responsible for the vast majority of cyber breaches—around 85%—because changing human behavior requires a different approach to simply updating your technology. 

But the complexity of the issue should not prevent us from seeking a solution. Whereas in the past, security teams have simply thrown more technology at the problem while looking at the people involved as unsolvable liabilities, now we know lasting change can be achieved by accurately measuring strengths and weaknesses and targeting undesirable behaviors with a tailored approach, leading to lasting changes in user behavior and a more security-minded workforce.

The management of anything can only improve if we measure it, and the human attack surface is no exception. In a study by Cyentia Institute, in collaboration with Elevate Security, they define the human attack surface as: ”The sum total of people’s actions, access, and security controls that impact an organization’s risk.”

To find out more about how Elevate Security’s platform helps to secure the human attack surface, we spoke to Masha Sedova, Co-founder and president of Elevate Security. Sedova has been a security practitioner for 18 years and her work has focused on weaving behavioral science, psychology, and data analytics together into security.

Her goal along the way has been to make becoming a part of the security solution more than just an obligation, and to provide metrics and visibility into the unsolved problem of human error, giving security teams the tools to level up their employees and protect their organizations.

Elevate Security generates a human risk score for every employee based on their past security decisions. The solution integrates with hundreds of security technologies and makes use of the logs and HR systems that security teams already have in place to craft an accurate overview of each user. Dashboards and analytics help organizations better understand their riskiest departments, geographies, managers, and trends, and allows admins to see if things are improving or getting worse over time.

“This is visibility and, as the saying goes, what gets measured gets managed”

We Need To Improve Our Approach

Human error is a significant contributor to the increasing number of cyber incidents, yet this problem has remained under-explored.

“We have the ability to measure how many unpatched servers we have in our environment and how many vulnerabilities we have in our software. We understand where we are vulnerable from a technology standpoint, but we treat employees as totally separate,” Sedova explains. 

Security teams simply throwing technology at the problem and then, when it persists, claiming that humans are the weakest link and blaming employees for not being better is unhelpful, she says.

According to Sedova, security professionals are very aware of the problem of human risk but, as an industry, are struggling with some learned helplessness. “The problem isn’t that employees are the weakest link, it is that we have not met this challenge with appropriate curiosity and with a solution that has worked. And instead of blaming our approach, like our training, we blame the end recipients. And really, it’s about our approach to this problem.

“Solving for the human element is a combination of visibility and tailored mitigation strategies that leverage both psychology and security controls,” Sedova explains. “These components together are what facilitates real changes and improvements to employees’ security decisions, but the security industry has typically failed to get the right people to bring these two sides together.

“They either bring in people with communications and a PR background who understand engagement but do not understand the data side, or they hire people who are data driven and technical who focus on creating controls around employees without understanding the human piece of it. And it really takes the merging of these two disciplines to measure existing weaknesses and approach them with precision. However, most security teams are limited to training and simulated phishing, so the solutions available to them fall short compared to the size of the problem.

“Most organizations today, when you ask what is being done to address employee risk, tell you that all employees are enrolled in security training. And then, if you ask most of the employees, they’ll say that they mute it, skip to the end and brute force the quiz. And what we’re found at Elevate is that training is a very limited tool to solving the problem, and employee risk is a ubiquitous and painful problem across our industries.”

So, what does Elevate do to tackle the issue? They provide tools and integrations that clearly show organizations who their riskiest people are through three main factors: past decisions, level of access, and volume of attacks. It’s a new category in cybersecurity that they have coined human attack surface management.

“This gives you the ability to have visibility and insight into who the riskiest employees are, then you can start tailoring security controls and solutions to make sure that every employee is met exactly where they need to be to remediate that,” Sedova tells us. Elevate Security uses behavioral science, specifically the concept of social proof, to influence user behavior.

“Social proof is a concept that all of us are quite familiar with, as it is simply the comparison of our behavior to a peer group.” Essentially, this is the idea that if everyone else is doing it one way, then I should be doing it this way, too.

This works from a behavioral psychology standpoint, because while people may not care about how likely they are to click on a phishing link, they will care that they are more likely to do so than everyone else. As humans we are prewired to want to fit in with others, and we are also naturally competitive; this means risky employees are psychologically wired to want to improve, which then drives better security outcomes.

Focus On The Outcomes You Want To Accomplish

Interestingly, Elevate Security’s “security reputation score” is not directly related to the training a user has undergone; instead, the score is determined by the security decisions, both good and bad, that employees make.

According to Sedova, using scoring and gamification to encourage and reward the desired outcomes of increasing or decreasing certain behaviors will lead to a more security-minded workforce. “But all that can only happen if you’re measuring what employees do, and not just what they know.”

“Many people ask me; ‘how much training is enough training?’ And that’s not the right question at all,” Sedova tells us. “The question is, what is the outcome you want the training to accomplish?”

This should be measured not by completions rates, but rather by observing an increase in the behaviors you are trying to drive, and a decrease in those that are undesirable.

“Most security training tries to reduce phishing click throughs, increase reporting rates and encourage more mindful malware practices. By measuring those behaviors to begin with, we can see that if people already have a perfect score on real world actions and are already detecting attacks, we can conclude that any training we give them is obsolete, because they’re already performing at the level we would be expecting them to,” Sedova explains.

The goal should be to move away from delivering training for training’s sake, and instead take a more outcome-focused approach, she says.

Sedova tells us that there are several categories of security decisions that can be used in combination to measure and reduce a person’s attack surface, such as measuring susceptibility to phishing, download infection rates, and how up-to-date devices are kept. Understanding which behaviors lead to breaches and knowing how well employees have responded in the past with their decisions gives insight into who in the organization can be left alone, and who needs more support and guidance to improve their security habits.

Make Sure To Recognize Positive Behaviors

It seems you can have too much of a good thing when it comes to security training. A recent study found that training led to improvements in phishing click rates up to a certain point but, beyond that, started to become counterproductive and actually increased the likelihood of clicking. Phishing simulations also showed evidence of diminishing returns, although not as dramatically. What this tells us is that, while training and simulations are useful, they are not the solution to human risk. “So, we really need to be thinking about other solutions beyond just training and start using a much more tailored approach,” Sedova tells us.

“I have also seen security teams punishing employees when they do the wrong thing, but they don’t reward and recognize employees who do the right thing,” Sedova explains.

“Most employees will experience security as an email about a policy violation, as mandatory password rotation, as gotcha phishing tests that get them to fall for it. And it’s always either you’re in the security teams bad books, or you’re not hearing from them at all. And at the same time, we’re asking employees to be thoughtful and productive digital citizens, to report, and to be more engaged in detecting attacks.”

Sedova explains that the way to engage employees is to acknowledge and give kudos for positive behaviors. And while this may be difficult to do manually, it can be done by pulling logs and reports, noting who in the organization has kept their machine malware free for that last, say, six months, and sending an email around recognizing this and expressing gratitude. “And that’s such a novel concept to most security teams,” Sedova tells us, “Yet, it’s exactly this kind of positive reinforcement and recognition that can signal to employees what the expected and desired behaviors are.

“Instead of just punishing people for mistakes they make, we also need to be recognizing when people do what is asked of them from a security perspective if we want to start creating a culture of recognition and positive reinforcement,” Sedova tells us. “Even a regular touch point email to let people know how their departments are doing is a really great way to start driving the culture to work with you in solving this problem. And if you can tie it to a measurement, seeing how many people are reducing over time, it’s a metric that you can collectively get behind and see how you are doing as an organization.”

How To Proactively Manage Employee Risk

Sedova’s advice to organizations that are struggling to proactively manage employee risk is not to try and do everything at once. Take a structured approach and start by tackling your top risks. These could be reoccurring incidents that your security team find themselves clearing up most often, like spearphishing attacks that could lead to account takeover, loss of sensitive data, or ransomware attacks.

“Start with the thing that hurts the most,” Sedova advises, “and by addressing it further upstream, you’re going to reduce the burden on your Incident Response Team. So, focus on your top area of pain for your incident response team, that is influenced by human decisions, and then work backwards. Figure out where you can measure who’s doing it poorly and who’s doing well, and then focus one key behavior at a time.”

“Focus on your top two or three behaviors across your organization, narrow it down to the people who are the worst offenders, and for the people who are not—give them a high five.”

Thank you to Masha Sedova for taking part in this interview. You can find out more about the Elevate Security Platform on their website or via LinkedIn.