teissTalk: Measuring behavioural change to reduce cyber risk

On 8 November, teissTalk host Thom Langford Baering Logason, Chief Information Security Officer, Isavia; Candace Williams, CEO/Founder, Cyb(H)er Ally Cybersecurity Solutions, LLC; Ray Espinoza, Chief Information Security Officer, Inspectiv; Oz Alashe, CEO, CybSafe.

 

 

Views on news

 

In the past, when workforces were mostly in office environments or in regular travel routines, typical behaviour was easier to define, and abnormal behaviour was easier to identify because it mostly revolved around an on-premises corporate network that was easier to manage and control. To adapt to changes, many organisations are leaning now  on a combination of SIEM tools, endpoint solutions, and cloud posture management that leverages automation and behaviour analytics. Incident response’s underlying principle is that if you have enough data, you can detect anomalies.

 

However, even with huge amounts of data, many behaviours are identified as out of the normal and turn out to be benign. Although security monitoring has had the same modus operandi for the last 15 years with detecting net flows that look suspicious, cloud computing now shows the potential of becoming a data mining heaven and bring a step change. It’s still hard to say whether AI will address the problem of data overabundance. However, it’s equally important that behavioural patterns which don’t show anomalies but, nevertheless, pose risks are identified.

 

But for the time being, it’s about managing expectations, as, although efficiency of detection and remediation can improve, it will never be perfect – we still need to investigate, validate and have a human in the loop to confirm that the alert is not a false positive.  

 

Although baselining is challenging, the key to it is knowing your organisation and who is who in it. Rather than aiming for perfection, rapid iterations for short periods of time may be a more efficient strategy for now.

 

 

Pre-attack intelligence

 

Behavioural analysis is a broader term than the monitoring of behavioural anomalies and includes more fundamental aspects too such as normal security behaviour. Beyond detecting anomalies, it’s also important to measure behavioural changes as a result of different types of training. Judging the current state of security, panellists agreed that security awareness is broken.

 

The key to get user buy-in for security education is to build their confidence in their own security skills, as well as in the security team’s capability to sort thing out. Telling employees that they are the weakest link in security will work against their confidence. Simulations are great ways to demonstrate to users what they are up against. Enduring but risky behaviours include sharing passwords, use of unauthorised applications, opening attachment from unknown sources.

 

Behavioural metrics are intrinsically subjective and fuzzy. Rather than using the stick, CISOs concern should be how they can enable the organisation to make more money though implementing controls. The effectiveness of asking employees questions about their behaviour to measure progress is often underrated.

 

Approximate measures showing user intent are vital too, and so is the application of behaviour science to security. Security experts traditionally come from IT, but nowadays they seem to have an increasingly diverse background – have good communication skills and can build relationships and goodwill. A new approach to training that show potential is making it targeted – giving people nudges and drops when and as they need it.

 

However, to implement that at scale, technical and complex systems need to be put in place. Unless nudges and prompts are done intelligently and correctly, they’ll only be a nuisance for the user. Outlook already sends out notifications  when the suspicion of a phishing email arises.

 

There is already a lot of scientific research conducted to influence human behaviour that security should benefit from. We should go beyond training and educating to genuinely help users.

 

The panel’s advice

 

Failures in security awareness shouldn’t be seen as a users’ problem but as the result of ineffective education. Annual security trainings won’t change die-hard habits.

 

Enable users to learn about security at their own pace through channels that work best for them.

Remember, behaviour is influenced by more than just what people know.

 

Don’t slap those on the hand who say they were just trying to do their jobs. Show empathy.

 

Contextualise and personalise your security messages.

 

If you see positive behaviour, reinforce it.