Did you miss a session from MetaBeat 2022? Head over to the on-demand library for all of our featured sessions here.
Traditionally, cybersecurity has been all about technology — but really, it is a people problem.
Research indicates that human behavior accounts for the majority of cybersecurity issues: 95% according to the World Economic Forum; 82% per Verizon’s 2022 Data Breach Investigations Report; nearly 91% according to the U.K.’s Information Commissioner’s Office.
This is not for lack of training, said Flavius Plesu, CEO of new software-as-a-service (SaaS) platform OutThink.
“Workers have not been ignored; training has always been a key part of the security landscape,” he said.
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
However, he pointed out, these have primarily been delivered through computer-based Security Awareness Training (SAT).
“The focus of SAT has until now been to instruct, rather than to understand users,” he said.
To address this, OutThink claims it has invented a new category of software: The cybersecurity human risk management platform. To aid in its development, the company today announced that it has raised $10 million in a seed-stage funding round.
“The entire platform is about making the human side of security practical,” said Plesu.
Cyberattacks continue to increase in complexity, scope and cost. The average cost of a data breach globally is $4.35 million; in the U.S. it’s more than double that, at $9.44 million.
In fact, the World Economic Forum’s 2021 Global Risks Report ranks cyberattacks as one of the top three biggest threats of the decade, alongside weapons of mass destruction and climate change.
To the point of human behavior, the focus of this year’s Cybersecurity Awareness Month (October) is “See Yourself in Cyber.” Gartner identifies “beyond awareness” programs as one of the top trends in cybersecurity in 2022.
“Progressive organizations are moving beyond outdated compliance-based awareness campaigns and investing in holistic behavior and culture change programs designed to provoke more secure ways of working,” writes Peter Firstbrook, Gartner VP analyst.
Taking training to the next level
Companies offering platforms to this end include KnowBe4, SoSafe, CybSafe, Cyber Risk Aware and CyberReady, among others.
OutThink’s tool uses monitored machine learning (ML), natural language processing (NLP) and applied psychology to reveal what users truly believe and gauge their risk, explained Plesu.
Intelligence is combined with data from integrated security systems — like Microsoft Defender or Microsoft Sentinel — to present live dashboards showing the overall human risk picture at a department, group or organization level, as well as the root causes of that risk, he said.
Based on this information, the platform then recommends or automates the delivery of tailored improvement actions.
All three points of the people-processes-technology triangle are “better aligned and joined up,” said Plesu, and “people are no longer the problem: They become the solution.”
The platform is already used by a number of large global organizations including Whirlpool, Danske Bank, Rothschild and FTSE 100 brands, he said.
Addressing the ‘human challenge’
OutThink came from Plesu’s personal experience as a CISO. Early in his career, he explained, he led complex cybersecurity transformation programs within large global organizations.
“It became clear to me that, despite considerable investment in technical security measures and awareness training, we were still exposed,” he said.
He began to rethink cybersecurity and address the “human risk challenge” with CISO peers and members of the academic community.
Plesu noted that, whenever people use computer systems to process or handle information, there is an inherent risk that someone will make a mistake, or turn against the company and cause deliberate damage. Cybersecurity human risk management aims to answer three key questions for CISOs:
- Identifying human risk: Who inside my organization is more likely to cause a data breach?
- Understanding human risk: Why are these people at risk?
- Managing human risk: How can we better support these colleagues?
“The idea for OutThink was born out of frustration with the first-generation solutions in the market, but it also came from a passionate belief: If we engage people beyond security awareness training, we can make them an organization’s strongest defense mechanism,” said Plesu.
One FTSE 100 organization benchmarked OutThink using independent phishing simulation platforms (Proofpoint and Cyber Risk Aware). After just one individualized security awareness OutThink session, its employees were 47.74% less likely to click on a phishing link and 46% more likely to correctly identify and report a phishing email, said Plesu.
A new approach
By contrast, he said, first-generation tools on the market provide e-learning modules or videos and phishing simulations that are typically identical to all users.
While these have moderate levels of efficacy, they suffer from the same problem as any training solution: The vast majority of information (75%) is forgotten within a week, he pointed out.
Newer platforms use ML to understand behaviors and target training, namely through surveys. But NLP and data science are typically not applied to understand how people feel and think about security; they are dependent on honest responses.
“A huge number of cognitive biases mean this is a risky approach,” said Plesu. “People tend to overestimate their own ability and knowledge, especially for those with the weakest competencies.”
Also, people tend to think of themselves as exceptions, and they will provide the responses requiring the least effort.
There are also custom-designed e-learning assets for organizations or specific departments within them, he said.
“We do not consider this to be a viable alternative because there are major differences in the security attitudes — including personality, risk perception and intentions — and behaviors of each employee within an organization; even within the same department,” said Plesu.
Ultimately, “the continual growth of cybercrime shows that conventional approaches aren’t working,” he said. “There is an urgent need for effective new approaches to cybersecurity human risk management.”