We talk alot about human risk in the world of security awareness, but rarely have I seen it defined, especially at a high level that anyone can understand. As such, I wanted to take a step back and give you a simple overview of what exactly risk is, and the role security awareness plays in enabling organizations to manage it.
- Security: Let's start with the basics, what exactly is security? Simply stated, security is managing risk.
- Managing: So, what do we mean by managing? There are three ways you can manage risk; you can reduce risk, you can accept risk or you can transfer risk (think insurance). Vendors like us help you reduce risk. Acceptance of risk is primarily an internal process, while transfer of risk is an entirely different field (once again, think insurance). One thing you can never do is eliminate risk.
- Risk: So what is risk? At the most general level risk is defined as the probability of an incident times the harm of an incident. The greater the likelihood something bad will happen, the greater the risk. The greater the impact from an incident, the greater the risk.
- Cyber Security Risk: In the world of cyber security we use the same model for risk but break it down one-step further. Specifically we define risk as Vulnerabilities x Threats x Impact. It's the same model, all we did is break down probability into two variables, vulnerabilities and threats. The more vulnerabilities you have, the more likely you will have an incident. The more threats you have, the more motivated they are, the more skilled they are, and/or the more resources they have the more likely you will have an incident. If you are looking for a more precise definition of cyber security risk, I recommend the FAIR model.
- Security Awareness: So where does security awareness fit in? Security awareness is the specialty of managing human cyber risk. Instead of using technology to manage risk, we leverage employees. Keep in mind, security awareness does not only address deliberate threats (i.e. hackers) but also accidental threats, in other words trusted employees and staff that accidentally cause harm (i.e. auto-complete in email).
- Behaviors. So what do we train people on, how does security awareness manage human risk? By changing peoples' behaviors. Through behavior change you can reduce any one of the three variables that create risk. For example, teach people how to identify a phish, they become less vulnerable. Teach people how to spot an insider, you reduce threats. Teach people how to use encryption, you reduce impact. The goal of awareness is to reduce human risk, and we do that by changing peoples' behaviors. To learn more about behaviors I highly recommend the BJ Fogg behavior model.
- Culture: Where does culture fit in to this? Culture is not just how people behave, but their attitudes, perceptions and norms. This is not only more difficult to change, but more difficult to measure. Ultimately you want an organization that has both secure behaviors and secure culture. However focus on behaviors first. Not only are behaviors easier to change and easier to measure, but as the infamous John Kotter documented in his book Leading Change and more recently Accelerate, changing behavior is the path to changing culture. Finally, just because an organization has a secure culture does not mean it has secure behaviors. For example, you can have employees who believe and understand that security is important, so they focus on locking the front door to the building while happily sharing passwords with the person from 'tech support' on the phone.
So there you have it, a short, simple primer on what security awareness is and the role it plays in helping organization's manage risk.