Apply Human Vulnerability Management to Your Security Program | EP 008
As security professionals, we're all too familiar with the importance of identifying and mitigating risks to our organizations' networks and systems. But what about the risks that arise from human behavior and actions? That's where human vulnerability management comes in.
In this episode, we'll discuss the challenges and opportunities of integrating human vulnerability management into a broader security framework and explore practical strategies for implementing and managing these programs effectively.
Watch the full episode below or listen on Apple/Spotify Podcasts. (links to Apple and Spotify on the Gone Phishing page!)
Episode 8: Listen on Apple
Full Episode 008 Transcript:
How to Apply Human Vulnerability Management to Your Security Program
00:00:00:12 - 00:00:29:20
Welcome to Gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swan, CEO of Food Security, and welcome to Gone phishing, everyone.
00:00:29:20 - 00:00:54:20
I am Connor, CEO at Phin. And welcome back to another episode of Gone phishing. So today we're going to talk about how you can apply human vulnerability management to your security awareness program. Now, if you haven't already, in the previous episode we did was on the building blocks of running and creating a security awareness program, both how you could do that incorrectly, and then how you can do that correctly.
00:00:55:01 - 00:01:23:00
I'm going to reference that at least a few times now. So if you haven't watched the previous episode, please make sure you go do that. So what is human vulnerability management? I've done a couple of episodes in the past about it, but I'm just going to give you a quick refresher and actually what I'm going to read for y'all is a pitch brief Cliff Notes, so to speak, of a speech that I'll be giving at a conference that's coming up soon.
00:01:23:07 - 00:01:52:01
So point number one is that humans are bad at understanding how they are uniquely vulnerable to social engineering. It's very hard to recognize it. A lot of the time, too, is security awareness programs are amazing. They're great. They're they're needed, but they're used by a lot to just check a box. And they don't do a ton at remediating the real risk of a person falling for social engineering and then having their money, information and access stolen.
00:01:52:01 - 00:02:23:05
Three is what is missing is an accurate picture of individual behavior and their unique vulnerability. And then using that picture that we should be able to gather to deliver individualized training and individualized assessments that properly mimic the real world, the real world, social engineering that they're going to recognize. And then fourth is basically a summary. We're bringing the framework that is assess, validate, prioritize, remediate and verify to humans.
00:02:23:18 - 00:02:50:17
So it's a common framework, use and penetration tests and just understanding how software networks and hardware is vulnerable. And we're bringing that to humans. That's what we're trying to do. So that is human vulnerability. Management is creating a program that hits all of those points. It's understanding what a human is uniquely vulnerable to and using that to craft an individualized educational experience for them.
00:02:50:22 - 00:03:29:23
That is a combination of tests, it's a combination of videos, it's a combination of content, followed by actual understanding of that content. So one thing that I always thought about when I was first building, Phin, was Why don't we actually find how people are vulnerable to social engineering? First week, let's just say it's random at first. But once people start to latch on to being vulnerable to certain forms of social engineering, whether that's appeals of authority, whether that's FOMO, whether that's urgency, whatever it is that is that is switching some kind of behavior in their brain.
00:03:30:03 - 00:03:56:07
We should be able to recognize that, at least in part, once people start to interact with our phishing and then after they've started to interact, what if we delivered more of that, that is crafted in a unique way to represent what that person's vulnerable to, to teach them, to recognize it moving forward. And then so really, what's you know, what a lot of employees have told me is when they get phish, they'll just get a video that they've already seen five or six times.
00:03:56:18 - 00:04:17:22
And they mute it. They move it to their second monitor and they move on with their day. A couple of things happened there. The employee failed a phishing assessment, and we could argue about what that really means, but they failed it. They were training the company, paid for it. A company pays for that training to get delivered and the employee didn't get any new information.
00:04:18:03 - 00:04:36:20
There's no new behavior that that employee is almost certainly going to actually show as a result of that. So it's really missing is this step by step walkthrough of it's almost like a conversation. Like if I were sitting in front of a person, what I would want to say to them is, Hey, we just discovered something that you're vulnerable to.
00:04:37:16 - 00:04:55:17
It was the fact that if your boss emails you at 4 p.m. on a Thursday, you're probably going to you're probably going to get flustered or whatever it is you're going to be in a mental state where you're likely to take whatever directed action is in that social engineering attempt. So let's uncover what it was this time. Okay?
00:04:55:17 - 00:05:10:12
Can you can you open up to sending information? Can you and I'm just going to use a few very common examples here because I don't have a phish in front of me that I'm actually looking at. But it's can you open up the sending information? Can you hover over the attachments? Can you really see what the end result of this link is?
00:05:10:12 - 00:05:28:12
Can you can you click on it and can you go to the website? Can you verify that it's actually not only https connected but also the actual domain name? Just because you have the little lock in the corner doesn't mean that your website's actually secure and you're not on a malicious website. A lot of people don't know that.
00:05:28:19 - 00:05:43:13
So there's a lot of steps. It's a lot of diving into what happened that we can go through with this individual that I would want to do one on one. And it's just not feasible given how many people there are on the planet and help them to recognize these are the unique ways you can recognize your own unique vulnerability.
00:05:43:18 - 00:06:09:00
And we just discovered them together because we delivered you an assessment that you want these things and you passed some and you failed others. So it's really simple. That's that is the end goal that I would like to bring with Phin and that we're bringing into this world is how can we help people recognize that they're uniquely vulnerable and then having that one on one experience with them to teach them what happened and how they can prevent it.
00:06:10:01 - 00:06:28:06
So why is it important that we do any of this? You know, security awareness training is checking a box programs sometimes. You know, if you listen to the last episode, you know that there are many, many companies that do this incredibly well. There are many practitioners in the space that are doing this well that are great at what they do.
00:06:28:09 - 00:06:53:00
And there are many companies that listen to them or have experts on staff where they do this very effectively. So what is the reason you should include this in your security programs? Well, if we for a second think about what is the end result of human vulnerability management, it is essentially that people are more inoculated against the social engineering that they're likely to face.
00:06:53:09 - 00:07:27:01
And so I've brought this up on a previous episodes. I'll bring it up again because it's a hot button topic. According to Verizon's Data Breach Investigations Report, something like 82% of breaches involve the human element. I'm not here to discuss the efficacy of not only, well, the data looked at here, but the interpretation of that. But it's very clear that humans making mistakes or humans doing something unintentional or very complex individuals is the reason that a lot of breaches happened or that we're exposed to a lot of risk is another way to put it.
00:07:27:10 - 00:08:06:12
And so what the why would it be important to include actual vulnerability management? Human vulnerability management in your program? Is to simply reduce the risk that a breach occurs because a human made a mistake that resulted in the theft of information, access for money that's it. If we can actually materially reduce the risk or even demonstrate in some way, shape or form that we've reduced the risk that that occurs at Mass and a company that is an incredible amount of not only cost saving, whether that's on a cyber insurance policy or on I don't know if you're part of setting aside money in the event that a breach occurs, you can not interrupt business.
00:08:06:19 - 00:08:27:14
Whatever it is. The cost savings is enormous, both from a time perspective of employees not having their work interrupted as a result of dealing with ransomware. I'm just throwing out random examples, but also the actual money that that would save the expected value of a cost of a breach times. The likelihood it's going to occur goes way now.
00:08:28:05 - 00:08:57:02
So what are a few practical steps? So we've talked about you've been vulnerability management. He explained why it's super important that that it needs to exist in your program. What are some practical steps you can take today to build it into your security launch program? So in the previous episode, I went through a few things, the primary four things that I went through were some ways that I see programs measured incorrectly.
00:08:57:18 - 00:09:22:04
So the first thing you can do to incorporate human vulnerability management into your awareness program is to begin measuring correctly, and I'm not going to dove into it completely. But basically if the data that you're collecting does not actually show the full picture of what employees are vulnerable to and how they're vulnerable over time, you're missing information. And you should you should figure out how to collect that.
00:09:22:13 - 00:09:49:12
I go into much greater detail in the previous episode about that, so I highly recommend you go take a look at it. But basically it's you need to be collecting more information and then interpreting it correctly. The second is to in some material way properly represent the environment that the social engineering environment that employees are going to experience.
00:09:50:11 - 00:10:22:04
What I mean by that is if you actually deliver more phishing assessments, more social engineering attempts, whether that's business email compromise scams, voicemail scams, USB dropping in the parking lot, what the goal of Human Vulnerability Management two is to expose people to reality, to teach them what they're vulnerable to before it becomes an actual problem. So that is the second thing you can do.
00:10:22:12 - 00:11:05:13
And the third thing you can do is begin measuring the companies sentiment of the awareness training program. In total. So the biggest disconnect I see between awareness training programs that are going well and awareness training programs that are not is simply put, the employees are not bought in there. Is this perceived or real? Not sure. And in some cases it differs belief that the i.t team, the security team, the people, whatever your company calls it, are in some way, you know, rooting against the employees at a company.
00:11:06:00 - 00:11:32:00
And there's this friction that's created between the IT folks and the just the employees that are not in it. And so two things you can do really, really simple things you can do is your h.R is probably conducting, you know, random, random surveys. And a couple of questions on the awareness training program. In the IT program in general about what do people really think about it?
00:11:32:21 - 00:11:53:09
And the second is make sure the stakeholders at your organization are bought in and have told every employee that they're bought in. Just send an email saying, Hey, this is super important for us this year. This is one of the things we're focused on. It's making sure we can continue to operate as a business by making sure everybody is properly inoculated against social engineering in our best estimates.
00:11:54:00 - 00:12:20:09
Those are two things you can do to start to cut away at that divide if that exists. So those are that that is why human vulnerability is important. Those are three really simple things you can do today to begin moving in that direction and you'll start to see a lot of changes. I've seen a lot of changes in the companies that have either helped, you know, work with us to adopt some of that or come to us already doing that.
00:12:21:08 - 00:12:38:00
And so I would highly recommend consider those three things if you need any help or if you have any additional questions, you can find me on LinkedIn, you can find our company, you can reach out to us, you can ask us questions. We're always willing to help you apply some of these principles in a little bit better way.
00:12:38:00 - 00:13:09:04
Everyone's situations unique as we're no stranger to that, but we can help you in a lot of ways. So thank you again for joining me. I always my pleasure to help bring some of this education to you, and I will see you on our next episode. I thanks so much for tuning in to Gone phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits.
00:13:09:10 - 00:13:24:03
Then check us out. Phin Security at Phinsec. Dot IO. That's an sec that IO or click all of the wonderful names in our show notes. Thanks for phishing with me today and we'll see you next time.