Platform

Unify HRM Overview

Platform

Capabilities

Identify: Human Risk Operations Center (HROC)
Dashboards

Power Insights

Benchmarks

Protect: Action Plans
Nudges: Communications & Employee Scorecards

Training: Risk Based SAT and Phishing

Orchestration: Policy Playbooks

Report: Human Risk Index (HRI)
Employee Scorecards

Manager Reporting

Board and Executive Reporting

Bundles

Unify Go
Start your journey to HRM here.

Monitor risk by:

Security Training Compliance

Phishing and Email

Unify Enterprise
Covers risk in Unify Go and adds:

Malware & Ransomware

Data Loss

Account Takeover

Featured Resources

Living Security Blog
What is Attack Surface Management?
link

Living Security Blog
Why Your Team Should Have A Business Continuity Plan
link
Solutions

Solutions Overview

Solutions

By Role

CISO
Provides CISO’s, executives, and boards a complete picture and prioritization of workforce risk by type, department, location, and more.
link

Security Awareness Team
Go beyond training completion and phishing click rates and proactively safeguard your organization from human-induced security incidents.
link

GRC
Identify, resolve and track commonly violated policies with granular accuracy to lower risk and improve workforce compliance.
link

SOC/IR
Unleash the true potential of your human firewall with data-driven insights and action plans that curb threats before they become incidents.
link

By Risk

Training Compliance
Monitor training compliance status for users and segments across the enterprise.
link

Phishing & Email
Identify the users most and least at risk to social engineering attacks and protect them.
link

Malware & Ransomware
Proactively protect users from malware including viruses, worms, Trojan viruses, spyware, adware, and ransomware.
link

Data Loss
Pinpoint when data is at risk of leaving your controlled environment through unauthorized access or malicious intent.
link

Identity Threats
Get visibility into the most susceptible users for account compromise and mitigate their risk.
link
Products

Products

Products Overview
Transform how your organization approaches Security Awareness and Training by shifting to a proactive HRM approach that creates a strong culture of security.

Living Security Blog
What is Attack Surface Management?
link

Unify Human Risk Management
Establish a proactive security loop.
Security Awareness Training
Interactive compliance training for modern threats.
CyberEscape Rooms
Put your team in the center of security scenarios
Cybersecurity Awareness Month
Create a cyber vigilant workforce in October
Cybersecurity Engagement Training Go beyond compliance training Phishing
Stop social engineering attacks in their tracks with realistic simulations and training
across phishing, vishing, smishing, and more.
HRM

HRM

Human Risk Management: Proactive Security
Human Risk Management (HRM) is the process of identifying, assessing, and mitigating risks associated with human behavior in relation to an employee's use of technology.
HRM Maturity Model
How far is your company along the path to true proactive security?

Living Security Blog
What is Attack Surface Management?
link
Resources

Resources

Resources
Level up on Human Risk Management with a comprehensive collection of webcasts, whitepapers, ebooks, and more.
Blog
Access hundreds of informative blogs with deep dives and best practices relating to the full array of cybersecurity risks we face.
Webinars
Watch dozens of webinars tackling some of cybersecurity’s biggest challenges featuring thought leaders from leading organizations.
Case Studies
See how a variety of organizations utilize Living Security’s HRM Platform, Training, and Phishing to reduce risk with proactive defense.

Partners
Human Risk Management Powered by Partners.
Technology Alliance Program
Extend the value of your offering with HRM.
Partner Support
Unlock your potential with our partner hub.

Living Security Community Share HRM best practices Newsroom Read the latest news on Living Security. Support
The more you know, the more you grow.
Why Living Security
Establish a proactive security loop.
Start Now

February 20, 2023

How to Measure the Human Factor in Cybersecurity

A company device is left unattended while its owner gets up to grab his coffee from the bar.

A simple password is used across multiple accounts and multiple services.

A link from a spoofed company email, clicked by an uninformed, well-intended employee.

Human risk is everywhere, and it isn’t always easy to see. While humans are a company’s best asset, they can also be its greatest source of risk. Being able to identify and measure the human factor is crucial to building a robust cybersecurity framework, one that is better poised to adapt to threats and prevent risks before they become incidents. To do all this, an organization must understand the human factor in cybersecurity, how to measure it, and what to do with that data.

What is Human Risk?

Human risk is everywhere, from personal and individual risk to risk that affects companies of all sizes. It’s defined as the risks caused by human behavior, and it’s not limited to tech companies or any particular sector. Any business that has humans in it has a human risk because humans make errors. So, unless you’re reading this from an all-robot company full of flawless beings, this will probably apply to you.

The Human Factor's Critical Role in Cybersecurity

When it comes to the human element of cybersecurity, understanding what role human risk has can help information security leaders to recognize what human-driven threats might be on the horizon. Human risk may be anything from choosing an insecure or easily-guessed password, clicking on a link in a phishing email, or forwarding sensitive company data to an outside source by accident. And while employees may know that they need to secure or lock their devices while unattended, or perform certain authentication checks, they might skip them just this once. All it takes is once, though.

In their 2022 Data Breach Investigations Report, Verizon found that 82% of breaches involved the human element. In order to prevent human risks from becoming incidents, employee behavior not only needs to be evaluated, but it also needs to change. Developing a human cyber risk evaluation model for your company is the most effective way to change this statistic for your own organization.

Scenarios: When the Human Factor in Cybersecurity Becomes a Risk

Human risk management is relevant across the entire organization, in every department, and at every level of the employee ladder.

A newly-hired employee might not know best practices in what to do with their badge or login credentials, accidentally leaving a vulnerability exposed.
A manager might be in too much of a rush as they scan through emails, and could click on a link that looks close enough, opening their machine and their organization up to malware or phishing.
A C-level officer might be up on all of their current training, but lose their keyring—and with it, an essential USB drive containing sensitive data.

All of these scenarios are avoidable if employees properly understood the risk involved, and if proactive, relevant security awareness training and preventative measures had been put into place to help them recognize and avoid these risks.

Key Human Error Factors in Cybersecurity

Simple human errors can cause all kinds of problems. Some examples of human risk include:

Phishing: A cyber attack where criminals try to provoke an insecure action, like clicking a link or downloading a virus, keylogger, or piece of malware. Phishing emails can be incredibly sophisticated and deceptive, appearing to be valid emails from internal addresses. They’ve developed a lot from the old reliable “a distant relative has left you two million dollars in the mail, just put your banking information here in this very secure and not at all suspicious form!”
Malware: There are all kinds of malicious software attacks out there, from ones that run silently in the background, crawling and gathering data, to ones that lock down a system and hold it for ransom. Knowing how to identify them before they get installed makes all the difference.
Passwords: Many companies have guidelines for password security, but some don’t, and that’s a potential problem. Still, others don’t have guidelines that are strong or complex enough. A weak or frequently used password is much easier to crack or brute force, and the solution to this is to require passwords to be more complex, and therefore harder to guess or force.
Hardware Loss: Accidentally leaving a USB drive or an important piece of hardware behind somewhere presents huge challenges to an information security team. When sensitive data or important company devices are lost or stolen, steps must be taken right away to lock down whatever could be at risk.
Insider Threats: Individuals might leak sensitive data intentionally, or unintentionally, but the result is the same. Understanding what levels of access each user has, controlling that access, and tracking usage and activity with the right kind of tools are key to preventing malicious or careless actions.

How to Measure the Human Factor

In order to measure the human factor of employees, a baseline must first be set. After all, to know where you’re going, you have to know where your starting point is. This baseline can be set by evaluating existing metrics, sending out surveys to encourage honest feedback, and researching what the most common issues have been.

It’s important to listen to what the IT team has experienced, but often, teams across the organization and outside of the IT team can provide key insight into what common cybersecurity issues in a specific company are. Maybe there are issues they’re experiencing, problems they can’t seem to resolve, or protocols they’re unclear about when it comes to cybersecurity best practices. This is step one in Human Risk Management.

Gathering data about employee behaviors is critical, too, but that can be trickier to aggregate. As they say, actions speak louder than words, and while the feedback across the organization is important, finding out what different users and groups are actually doing (or not doing) is vital. Human behavior is central to the concept of risk management in cybersecurity. Without appropriate solutions, however, effectively monitoring employee behaviors can be tricky.

Change starts with data, and knowing how to source it, analyze it, and respond to it has the potential to change human risk into human action. Living Security’s Unify solution gathers user data across organizations in order to analyze individuals, assigning them a risk score based on their past behaviors. It makes this process seamless and easier to target specific training solutions to the users who need it most, based on their behaviors.

How to Apply Your Findings

Once you have your data, what do you do with it? Unify Insights Action Plans can be used to develop security programs that will work for the needs of a specific organization, group, or individual. Now, you can see that one department is clicking on phishing links, or that a specific remote user is experiencing repeated failed login attempts.

You can then deploy specific training or tools to these specific users or teams, making it timely and relevant to your riskiest users. Once the training is complete, you can then measure whether that training has been effective at changing risky behavior.

The Future of Cybersecurity Human Factor Evaluation

At Living Security, we’re champions of the idea that human risk management is the future of cybersecurity. Human risk represents the greatest threat to an organization’s cybersecurity, but it can also be an organization’s greatest strength. To learn more about how Living Security Unify can help increase cybersecurity awareness across your organization and change behaviors, learn more by requesting a demo today.