Platform

Unify HRM Overview

Platform

Capabilities

Identify: Human Risk Operations Center (HROC)
Dashboards

Power Insights

Benchmarks

Protect: Action Plans
Nudges: Communications & Employee Scorecards

Training: Risk Based SAT and Phishing

Orchestration: Policy Playbooks

Report: Human Risk Index (HRI)
Employee Scorecards

Manager Reporting

Board and Executive Reporting

Bundles

Unify Go
Start your journey to HRM here.

Monitor risk by:

Security Training Compliance

Phishing and Email

Unify Enterprise
Covers risk in Unify Go and adds:

Malware & Ransomware

Data Loss

Account Takeover

Featured Resources

Living Security Blog
What is Attack Surface Management?
link

Living Security Blog
Why Your Team Should Have A Business Continuity Plan
link
Solutions

Solutions Overview

Solutions

By Role

CISO
Provides CISO’s, executives, and boards a complete picture and prioritization of workforce risk by type, department, location, and more.
link

Security Awareness Team
Go beyond training completion and phishing click rates and proactively safeguard your organization from human-induced security incidents.
link

GRC
Identify, resolve and track commonly violated policies with granular accuracy to lower risk and improve workforce compliance.
link

SOC/IR
Unleash the true potential of your human firewall with data-driven insights and action plans that curb threats before they become incidents.
link

By Risk

Training Compliance
Monitor training compliance status for users and segments across the enterprise.
link

Phishing & Email
Identify the users most and least at risk to social engineering attacks and protect them.
link

Malware & Ransomware
Proactively protect users from malware including viruses, worms, Trojan viruses, spyware, adware, and ransomware.
link

Data Loss
Pinpoint when data is at risk of leaving your controlled environment through unauthorized access or malicious intent.
link

Identity Threats
Get visibility into the most susceptible users for account compromise and mitigate their risk.
link
Products

Products

Products Overview
Transform how your organization approaches Security Awareness and Training by shifting to a proactive HRM approach that creates a strong culture of security.

Living Security Blog
What is Attack Surface Management?
link

Unify Human Risk Management
Establish a proactive security loop.
Security Awareness Training
Interactive compliance training for modern threats.
CyberEscape Rooms
Put your team in the center of security scenarios
Cybersecurity Awareness Month
Create a cyber vigilant workforce in October
Cybersecurity Engagement Training Go beyond compliance training Phishing
Stop social engineering attacks in their tracks with realistic simulations and training
across phishing, vishing, smishing, and more.
HRM

HRM

Human Risk Management: Proactive Security
Human Risk Management (HRM) is the process of identifying, assessing, and mitigating risks associated with human behavior in relation to an employee's use of technology.
HRM Maturity Model
How far is your company along the path to true proactive security?

Living Security Blog
What is Attack Surface Management?
link
Resources

Resources

Resources
Level up on Human Risk Management with a comprehensive collection of webcasts, whitepapers, ebooks, and more.
Blog
Access hundreds of informative blogs with deep dives and best practices relating to the full array of cybersecurity risks we face.
Webinars
Watch dozens of webinars tackling some of cybersecurity’s biggest challenges featuring thought leaders from leading organizations.
Case Studies
See how a variety of organizations utilize Living Security’s HRM Platform, Training, and Phishing to reduce risk with proactive defense.

Partners
Human Risk Management Powered by Partners.
Technology Alliance Program
Extend the value of your offering with HRM.
Partner Support
Unlock your potential with our partner hub.

Living Security Community Share HRM best practices Newsroom Read the latest news on Living Security. Support
The more you know, the more you grow.
Why Living Security
Establish a proactive security loop.
Start Now

September 9, 2021

How To Measure Cybersecurity Behavior and Drive Long-Lasting Cultural Change

Chief information security officers everywhere work to instill a culture of security awareness in order to improve their organization’s security posture. Being able to define and measure the impact of their initiatives is vital to determining the success of that cultural change.

But sometimes standard metrics don’t tell the full story. Sure, you can produce charts showing clicks on phishing emails, but how do you measure the unquantifiable, such as your employees’ perception of and care for your company’s security?

With the right determination and plan, subjective metrics like cultural change become easier to both measure and improve.

Here are four steps to do just that and drive true culture change around cybersecurity:

1. Conduct research to create a baseline.

Before you can start improving the behavior of your employees, you need a clear understanding of what your team is and isn’t doing well surrounding your security posture. How can you establish this baseline?

Meet with company leadership and department managers to note any security risks they’ve noticed. Ask for their current perception of your cybersecurity posture and any particular areas they want to see improvement in. Non-technical or security-focused members of your leadership team may need some prompting to identify what these threats may be—from physical security issues to unintentional insider threats to exposure to outside attacks. Lead them through this conversation.
Research the most common issues your IT department resolves. The types and frequency of support issues can help determine the focus of your organization’s short-term security goals. For example, if many of your help desk tickets are associated with account lockouts or forgotten passwords, implementing a password management tool may be a short-term solution that helps employees and potentially closes security gaps.
Send surveys encouraging employees to share anonymous, honest feedback about where they feel your company’s security infrastructure is lacking or where their knowledge of particular security topics could be improved. Give users an open invitation to ask their most burning security questions and get straight answers once and for all.
Review any previously established metrics for measuring your security awareness program’s success, if applicable.

This upfront research will identify your organization's cybersecurity strengths while also highlighting areas that need improvement. Your findings should guide goal setting for short- and long-term improvement strategies.

2. Create a program plan.

Once you have a clear picture of your current security baseline, you can develop a specific, timely action plan for creating a more cybersecurity-conscious culture.

For example, you’ve discovered account credentials that can be easily compromised, so you’ve set a goal to roll out multifactor authentication (MFA). It's unlikely that you can flip a switch and turn on a new process overnight. In fact, you must decide the logistics of how you may introduce the new security policy. That might mean:

Choosing a team or department for an initial implementation.
Explaining to that team why the change is necessary, what the requirements placed on them will be, what the benefits to them will be, and what the challenges they may run into are.
Establishing goals and metrics for measuring success, such as having a certain percentage of the team fully activated with MFA by a certain time period.
Debriefing on this implementation before rolling it out to the rest of the organization.

Successful change management can look different at every organization, but consider these practices as you get started:

Deliver the right message to the right audience

When introducing a new initiative, how you communicate with each department to get them on board for security improvement is crucial. Empower department leaders to craft the “what’s in it for me?” message for their teams. Make sure to ask for feedback from department leaders on the wins accomplished through these changes; this communication is just as important as the change itself.

Outline which specific behaviors will change

Be very clear on the exact behavior(s) that need to be changed. Let’s think back to the multifactor authentication example: if you want a department to be using MFA by the end of the month, a short document or video that explains the current authentication practices, the new expectation, and the steps team members will need to take to set up their account and verify their identity moving forward will be critical. This type of “how-to” content paired with the department leader’s strong message of why it matters to their team can go a long way.

Make it fun!

Part of the reason it's so hard to make lasting behavioral changes to improve security is the traditional “dumb employee” trope surrounding cyberescurity efforts. Historically, employees are made to feel powerless and stupid for not recognizing cyber threats; they are driven to change their actions using fear tactics. This heightened stress may work short-term, but this approach rarely encourages employees to make sustainable changes. Instead, it can lead to resentment toward and disinterest in your security program at large!

Instead of guilting employees for everything they're doing wrong, empower them by recognizing the things they are doing right and the progress they are making. When developing your security program, include rewards and recognition for employees to drive positive results and behaviors. Even security programs without a high budget can try these inexpensive yet highly effective incentivization tactics. You can even turn your cybersecurity awareness training into interactive, experiential games to boost engagement and foster higher retention of material.

Learn more about defining and enforcing specific behavioral changes in The 4-Step Guide to Cybersecurity Human Risk Management.

3. Establish and track progress toward new key performance indicators.

Just as important as receiving company buy-in for your program is being able to show the results of everyone’s hard work. It’s vital to be able to track the organization’s progress—not only to demonstrate improvement but to make data-driven decisions regarding any potential changes or additions to the program.

It's crucial that you establish a scorecard or dashboard to be able to track your program’s impact. Successful cybersecurity awareness training requires clear, trackable metrics for measurable reporting; make sure to include the number and types of rewards given for team members who practice and encourage secure behaviors. Develop ways to assign values to soft metrics like “perceived safety,” which will help the leadership team understand how individual behaviors tie into the big picture.

As security incidents occur, use these as examples for on-the-spot learning opportunities. Remember that your team is human. 100% compliance with zero mistakes is unlikely to occur. The most important thing is to create a culture where employees feel comfortable reporting security incidents. This is far easier to achieve by never pushing fear of repercussions and, instead, empowering them to take action when they see a problem and thanking them for doing their part to better protect your organization.

Review the scorecard results regularly and communicate the results to your organization in periodic reviews to get others involved in championing security along your side. In order to create a positive culture around cybersecurity, you must be candid about what your team is excelling at and what they need to grow in. This transparency helps to instill personal responsibility.

4. Review results regularly and make continuous improvements.

As you continue to track security behaviors and change your internal culture around cybersecurity, you'll start to see an increasing number of opportunities to educate and empower your team.

This is your opportunity to use the data you've been collecting and apply it to boost your program’s success. Build in routine security awareness training sessions, cultural perspective workshops, and other team-building exercises designed to transform your security posture. With consistency, time, and dedication, you will start to see the results speak for themselves.

It All Starts With Human Risk Management

The only way to effectively inspire long-lasting behavioral changes about cybersecurity within your company’s culture is to remind your employees they are your greatest strength, not your greatest weakness.

That starts with managing your security risk at a human level and empowering employees to recognize their impact on your security.

Download our free guide, 7 Essential Trends Of Human Risk Management for 2021, to discover more ways to turn your team into advocates of your security culture.