Beyond the NIST Framework: Choose Behavior Change over Compliance

The last time you were on a plane, did you read the safety card?

Maybe you flipped through it while waiting to take off, or maybe you glanced at it while the flight attendants gestured towards your nearest exit. But when you were done reading it (if you read it at all) you probably tucked it back in the pocket and went back to playing games on your phone, drinking ginger ale, or silently negotiating for the use of the armrest with your already-sleeping neighbor’s elbow.

What is the point of those cards, anyway? And who really pays attention to the “white lights lead to red lights, red lights lead to exits” routine? Do you?

Like most of us, even knowing how important it would be to know these things if a rare emergency did happen, do we pay attention? And do we learn from them—and does it really help us change our behavior?

Cybersecurity incidents are a lot more common than airplane emergencies, but it’s surprising to find out that the overwhelming attitude towards security awareness and training (SA&T) is a lot like how we read an airline safety card. We read the card or take the yearly training just to say we’ve done it, just to check a box, but we don’t really expect to learn anything, much less change what we do.

(Some of this, let’s be honest here, is because a lot of cybersecurity training is about as interesting as watching paint dry. Another powerpoint presentation from 1998? I’m vibrating with delight and anticipation!)

We know that it’s the human element that makes the difference when it comes to a sizable percentage of security incidents. The data couldn’t be clearer. We know that Human Risk Management is the future of cybersecurity training. We know all of this, but the current frameworks barely account for it.

Instead, most cybersecurity frameworks and guidelines care more that you read the safety card, or took the training, than whether you actually changed your behavior.

Recently, in her article "A Sneak Peek Into The Future Of Security Awareness And Training," Forrester VP and Senior Analyst Jinan Budge says, “Two decades of increasing the focus on the human side of security has inadvertently, and well meaningly, created a status quo that’s difficult to break. Security and risk leaders must reject the status quo of their well-intentioned, commonly accepted awareness program and focus on managing the human risk.”

To learn more about what Living Security is doing in order to break this status quo and offer a solution that gets to the heart of Human Risk Management, let’s first explore what one of the top recommended cybersecurity frameworks does — and what it might be missing.

What is the NIST Framework?

• The NIST framework is a set of voluntary guidelines and best practices set forth by the National Institute of Standards and Technology in order to help companies better manage cybersecurity risk. At its core, the framework identifies five key functions that help organize cybersecurity practices: Identify, Protect, Detect, Respond, and Recover. It’s a flexible framework, intended to be a broad and adaptable guideline for companies of various sizes. The five foundations are:
• Identify - After performing a risk assessment, security leaders will be able to define the risk management strategy that’s appropriate for their business. They’ll survey what equipment they have, and define what roles are needed for anyone with access to company data.
• Protect - At this level, protective measures can be both automated (firewalls, regular data backups, encryption and access controls) and human (disseminating information protection and procedures and engaging in security awareness training.)
• Detect - Being able to monitor all devices for anomalies and events, unauthorized access, or potential issues is key to addressing them as quickly as possible.
• Respond - With the initial strategy in mind, define how your company will respond to threats and potential risks. How will the incidents be handled, and how will damage be mitigated?
• Recover - After the incident, a plan must be in place to recover, not just to re-secure data but also to keep key stakeholders informed of the actions being taken.

To be clear, the NIST framework is a great starting point for cybersecurity. It works — not only as an initial framework to begin conceptualizing an organization’s unique cybersecurity needs and challenges, but also as a pathway to follow, stepping stones that can lead you through each phase of a process, hopefully cycling back around to learn and integrate the information gleaned during the post-incident recovery phase.

It’s good, but it could be better. So what do we need to add in order to find that missing piece?

The Issues With NIST Cybersecurity Framework

What the NIST framework is missing is a focus on human behavior — at every step of the process. Yes, it’s important to have tech-focused solutions, but the technology attack vector isn’t the whole picture, given that 85% of all breaches in 2021 involved a human element. Accepting a certain amount of risk and choosing to mitigate it, rather than try and prevent it, means accepting that human error is a given, and, in turn, that risky behaviors cannot be changed or prevented, and that’s just not good enough.

Moreover, it’s not true. (We know, because it’s kind of our thing here at Living Security, making training actually engaging, enjoyable, and educational.)

The problem with most companies is that they are only focused on compliance and need to focus on behavior change instead. This is where the NIST cybersecurity framework falls short.

The NIST framework is not an ideal standalone cybersecurity solution because, without the human element, and without Human Risk Management integrated into every level, the foundation of cybersecurity becomes more about checking boxes and meeting a quota. Much like reading that laminated security card, what does it matter if your employees complete a mandated training, attend a security awareness event, or rack up views on materials if their behavior doesn’t change as a result? Focusing on compliance and attendance, rather than behavior, does little to actually decrease risk.

NIST Compliance Regulations

Given the level of risk that cybersecurity threats pose to an organization, it’s no surprise that the compliance guidelines and frameworks are highly regulated. While the NIST framework was initially designed in order to guide federal agencies to meet the Federal Information Security Management Act (FISMA) the same framework is often used by non-governmental companies as well.

Federal agencies must comply with FISMA standards, but non-governmental companies may have other regulations, such as HIPAA for the healthcare industry, they need to follow. So how do you best meet your company’s needs, take what works and what applies to you from NIST, and adapt the rest? What piece is missing?

NIST vs. Human Risk Management

The NIST framework is fundamentally a reactive approach to cybersecurity threats. Reactivity is not, by itself, a bad thing. Companies should have a robust response framework so they can effectively respond to risk when it happens. But that’s not the whole story, and it’s not enough to only focus on a reactive framework.

Human Risk Management presents a proactive approach to help change the behaviors that cause the security issues, so that when they do happen, they can be better managed. What is Human Risk Management? Put simply, it's using data to proactively identify and educate the riskiest individuals, driving behavior change so they know how to prevent human risk before it happens.

Rather than building a massive, reactive response to a potential incident caused by carelessness or lack of information, wouldn’t it be easier to simply prevent an incident from happening in the first place? This is exactly what Living Security is doing with the Unify Insights platform.

Benefits of the Human Risk Management Approach

While the NIST framework can be a starting point, it shouldn't be the only approach an organization is using. Human Risk Management is not only the future of cybersecurity, it’s the present. It’s happening now, and companies need to shift their vision to account for it. The NIST framework is a checkbox, but it shouldn’t be the only thing that defines strategy.

The benefits of switching to an HRM framework appear at every level of the current NIST framework. From identifying threats based on risky behaviors, you can work to change how people respond—empowering them to be at the front line of defense, rather than accepting that people will always be your weakest link.

So, yes, when you board the plane and sit down in your seat, reach for the conveniently-placed laminated safety card in the pocket in front of you, and read it over. The airline doesn’t want you to read it simply to have read it, the airline wants you to know what to do to prevent risk. It’s about changing behavior.

Better Cybersecurity Risk Management With Living Security

Human Risk Management is the future of cybersecurity, and with the right tools, your organization can move beyond compliance-based models and actually start to identify risk before it is likely to occur. With Unify Insights, security professionals can deploy targeted training to those who need it most — training that’s actually interesting, and, dare we say, fun. Watch how behaviors change as a result, and how risk is affected. Create a custom-fit solution that does more than just tick the boxes. Using Living Security’s Unify Insights platform, you can see what’s missing from compliance-based frameworks: The human element.

To learn more about our Unify Insights Human Risk Management platform, or to schedule a demo, click here.