# #

February 20, 2023

How to Measure the Human Factor in Cybersecurity


A company device is left unattended while its owner gets up to grab his coffee from the bar.

A simple password is used across multiple accounts and multiple services.

A link from a spoofed company email, clicked by an uninformed, well-intended employee.

Human risk is everywhere, and it isn’t always easy to see. While humans are a company’s best asset, they can also be its greatest source of risk. Being able to identify and measure the human factor is crucial to building a robust cybersecurity framework, one that is better poised to adapt to threats and prevent risks before they become incidents. To do all this, an organization must understand the human factor in cybersecurity, how to measure it, and what to do with that data. 

What is Human Risk?

Human risk is everywhere, from personal and individual risk to risk that affects companies of all sizes. It’s defined as the risks caused by human behavior, and it’s not limited to tech companies or any particular sector. Any business that has humans in it has a human risk because humans make errors. So, unless you’re reading this from an all-robot company full of flawless beings, this will probably apply to you. 

The Human Factor's Critical Role in Cybersecurity

When it comes to the human element of cybersecurity, understanding what role human risk has can help information security leaders to recognize what human-driven threats might be on the horizon. Human risk may be anything from choosing an insecure or easily-guessed password, clicking on a link in a phishing email, or forwarding sensitive company data to an outside source by accident. And while employees may know that they need to secure or lock their devices while unattended, or perform certain authentication checks, they might skip them just this once. All it takes is once, though. 

In their 2022 Data Breach Investigations Report, Verizon found that 82% of breaches involved the human element. In order to prevent human risks from becoming incidents, employee behavior not only needs to be evaluated, but it also needs to change. Developing a human cyber risk evaluation model for your company is the most effective way to change this statistic for your own organization. 

Scenarios: When the Human Factor in Cybersecurity Becomes a Risk

Human risk management is relevant across the entire organization, in every department, and at every level of the employee ladder. 

  • A newly-hired employee might not know best practices in what to do with their badge or login credentials, accidentally leaving a vulnerability exposed. 
  • A manager might be in too much of a rush as they scan through emails, and could click on a link that looks close enough, opening their machine and their organization up to malware or phishing.
  • A C-level officer might be up on all of their current training, but lose their keyring—and with it, an essential USB drive containing sensitive data.

All of these scenarios are avoidable if employees properly understood the risk involved, and if proactive, relevant security awareness training and preventative measures had been put into place to help them recognize and avoid these risks.

Key Human Error Factors in Cybersecurity

Simple human errors can cause all kinds of problems. Some examples of human risk include:

  • Phishing: A cyber attack where criminals try to provoke an insecure action, like clicking a link or downloading a virus, keylogger, or piece of malware. Phishing emails can be incredibly sophisticated and deceptive, appearing to be valid emails from internal addresses. They’ve developed a lot from the old reliable “a distant relative has left you two million dollars in the mail, just put your banking information here in this very secure and not at all suspicious form!” 
  • Malware: There are all kinds of malicious software attacks out there, from ones that run silently in the background, crawling and gathering data, to ones that lock down a system and hold it for ransom. Knowing how to identify them before they get installed makes all the difference. 
  • Passwords: Many companies have guidelines for password security, but some don’t, and that’s a potential problem. Still, others don’t have guidelines that are strong or complex enough. A weak or frequently used password is much easier to crack or brute force, and the solution to this is to require passwords to be more complex, and therefore harder to guess or force.  
  • Hardware Loss: Accidentally leaving a USB drive or an important piece of hardware behind somewhere presents huge challenges to an information security team. When sensitive data or important company devices are lost or stolen, steps must be taken right away to lock down whatever could be at risk. 
  • Insider Threats: Individuals might leak sensitive data intentionally, or unintentionally, but the result is the same. Understanding what levels of access each user has, controlling that access, and tracking usage and activity with the right kind of tools are key to preventing malicious or careless actions. 

How to Measure the Human Factor

In order to measure the human factor of employees, a baseline must first be set. After all, to know where you’re going, you have to know where your starting point is. This baseline can be set by evaluating existing metrics, sending out surveys to encourage honest feedback, and researching what the most common issues have been.

It’s important to listen to what the IT team has experienced, but often, teams across the organization and outside of the IT team can provide key insight into what common cybersecurity issues in a specific company are. Maybe there are issues they’re experiencing, problems they can’t seem to resolve, or protocols they’re unclear about when it comes to cybersecurity best practices. This is step one in Human Risk Management. 

Gathering data about employee behaviors is critical, too, but that can be trickier to aggregate. As they say, actions speak louder than words, and while the feedback across the organization is important, finding out what different users and groups are actually doing (or not doing) is vital. Human behavior is central to the concept of risk management in cybersecurity. Without appropriate solutions, however, effectively monitoring employee behaviors can be tricky. 

Change starts with data, and knowing how to source it, analyze it, and respond to it has the potential to change human risk into human action. Living Security’s Unify solution gathers user data across organizations in order to analyze individuals, assigning them a risk score based on their past behaviors. It makes this process seamless and easier to target specific training solutions to the users who need it most, based on their behaviors. 

How to Apply Your Findings

Once you have your data, what do you do with it? Unify Insights Action Plans can be used to develop security programs that will work for the needs of a specific organization, group, or individual. Now, you can see that one department is clicking on phishing links, or that a specific remote user is experiencing repeated failed login attempts.

You can then deploy specific training or tools to these specific users or teams, making it timely and relevant to your riskiest users. Once the training is complete, you can then measure whether that training has been effective at changing risky behavior. 

The Future of Cybersecurity Human Factor Evaluation

At Living Security, we’re champions of the idea that human risk management is the future of cybersecurity. Human risk represents the greatest threat to an organization’s cybersecurity, but it can also be an organization’s greatest strength. To learn more about how Living Security Unify can help increase cybersecurity awareness across your organization and change behaviors, learn more by requesting a demo today.

# # # # # # # # # # # #