Beyond the NIST Framework: Choose Behavior Change over Compliance

The last time you were on a plane, did you read the safety card?

Maybe you flipped through it while waiting to take off, or maybe you glanced at it while the flight attendants gestured towards your nearest exit. But when you were done reading it (if you read it at all) you probably tucked it back in the pocket and went back to playing games on your phone, drinking ginger ale, or silently negotiating for the use of the armrest with your already-sleeping neighbor’s elbow.

What is the point of those cards, anyway? And who really pays attention to the “white lights lead to red lights, red lights lead to exits” routine? Do you?

Like most of us, even knowing how important it would be to know these things in the event of a rare emergency, do we pay attention? And do we learn from them—and does it really help us change our behavior?

Cybersecurity incidents are a lot more common than airplane emergencies, but it’s surprising to find out that the overwhelming attitude towards security awareness and training (SA&T) is a lot like how we read an airline safety card. We read the card or take the yearly training just to say we’ve done it, just to check a box, but we don’t really expect to learn anything, much less change what we do.

(Some of this, let’s be honest here, is because a lot of cybersecurity training is about as interesting as watching paint dry. Another powerpoint presentation from 1998? I’m vibrating with delight and anticipation!)

We know that it’s the human element that makes the difference when it comes to a sizable percentage of security incidents. The data couldn’t be clearer. We know that Human Risk Management is the future of cybersecurity training. We know all of this, but the current frameworks barely account for it.

Instead, most cybersecurity frameworks and guidelines care more that you read the safety card, or took the training, than whether you actually changed your behavior.

Recently, in her article "A Sneak Peek Into The Future Of Security Awareness And Training," Forrester VP and Senior Analyst Jinan Budge says, “Two decades of increasing the focus on the human side of security has inadvertently, and well meaningly, created a status quo that’s difficult to break. Security and risk leaders must reject the status quo of their well-intentioned, commonly accepted awareness program and focus on managing the human risk.”

To learn more about what Living Security is doing in order to break this status quo and offer a solution that gets to the heart of Human Risk Management, let’s first explore what one of the top recommended cybersecurity frameworks does — and what it might be missing.

What is the NIST Framework?

The NIST framework is a set of voluntary guidelines and best practices set forth by the National Institute of Standards and Technology in order to help companies better manage cybersecurity risk. At its core, the framework identifies five key functions that help organize cybersecurity practices: Identify, Protect, Detect, Respond, and Recover. It’s a flexible framework, intended to be a broad and adaptable guideline for companies of various sizes. The five foundations are:

• Identify – After performing a risk assessment, security leaders will be able to define the risk management strategy that’s appropriate for their business.

• Protect – At this level, protective measures can be both automated (firewalls, regular data backups, encryption and access controls) and human (disseminating information protection and procedures and engaging in security awareness training).

• Detect – Being able to monitor all devices for anomalies and events, unauthorized access, or potential issues is key to addressing them as quickly as possible.

• Respond – With the initial strategy in mind, define how your company will respond to threats and potential risks. How will the incidents be handled, and how will damage be mitigated?

• Recover – After the incident, a plan must be in place to recover, not just to re-secure data but also to keep key stakeholders informed of the actions being taken.

To be clear, the NIST framework is a great starting point for cybersecurity. It works — not only as an initial framework to begin conceptualizing an organization’s unique cybersecurity needs and challenges, but also as a pathway to follow, stepping stones that can lead you through each phase of a process, hopefully cycling back around to learn and integrate the information gleaned during the post-incident recovery phase.

It’s good, but it could be better. So what do we need to add in order to find that missing piece?

Adding the Human Element With the HRM Framework

What the NIST framework is missing is a dedicated focus on human behavior — at every step of the process. Yes, it’s important to have tech-focused solutions, but the technology attack vector isn’t the whole picture, given that 85% of all breaches in 2021 involved a human element.

This is where the HRM Framework comes in. Rather than replacing NIST, the HRM Framework complements and strengthens it — ensuring that security leaders can reduce risk from not just a process or technical standpoint, but a human one as well.

Future iterations of the HRM Framework will be aligned with NIST, making it easier for organizations to see how human risk aligns directly with each of NIST’s five functions. The two together provide a holistic approach: NIST as the broad structure, and the HRM Framework as the layer that ensures behavior change and measurable human risk reduction.

The Issues With a Compliance-Only Mindset

The problem with most companies is that they are only focused on compliance and need to focus on behavior change instead. Without integrating the human element, cybersecurity can become more about checking boxes than reducing risk.

Much like reading that laminated safety card, what does it matter if your employees complete a mandated training, attend a security awareness event, or rack up views on materials if their behavior doesn’t change as a result?

This is why mapping the HRM Framework to NIST is so important. It moves organizations beyond compliance metrics and into true risk reduction.

Better Cybersecurity Risk Management With Living Security

Human Risk Management is the future of cybersecurity, and with the right tools, your organization can move beyond compliance-based models and actually start to identify risk before it is likely to occur. With  Unify Insights, security professionals can deploy targeted training to those who need it most — training that’s actually interesting, and, dare we say, fun.

Watch how behaviors change as a result, and how risk is affected. Create a custom-fit solution that does more than just tick the boxes. Using Living Security’s Unify Insights platform, you can see what’s missing from compliance-based frameworks: The human element.

The HRM Framework will ensure that companies can align their process, technology, and people efforts — complementing NIST instead of competing with it — and giving leaders a true path to measurable human risk reduction.

To learn more about the HRM Framework, visit www.humanriskmanagement.com.