Building a security awareness training program to develop a strong infosec culture requires time and money, and chief information security officers frequently try to make a case for such an investment by citing return on investment and other metrics of success.
Such demonstrable proof can be elusive, but this week, KnowBe4 researchers released the results of a comprehensive study examining the behavior and security culture of more than 97,000 employees across 1,115 organizations worldwide.
The goal was to see if they could quantify the correlation between implementing a strong security culture and the reduction of unwanted phishing behaviors such as link clicking and credential sharing. Obviously, they have an inversely proportional relationship: as training and awareness improve, risky behaviors go down. But by how much?
Now we know: KnowBe4 found that employees at companies with good security culture/training were 52x less likely to practice risky credential sharing behaviors than workers at companies with poor security culture/training. KnowBe4 claims its study is the first to ever fully quantify this correlation, noting that researchers compiled the data by measuring the behaviors of employees a phishing assessment platform, and then combining those results with responses from a scientific security culture survey.
"My impression is that many different organizations have tried to measure this in different ways," said Caroline Wong, chief strategy officer at Cobalt.io. (Case in point: this 2020 Global Employee Risk Insights Report from Elevate Security.) But "I think the more actionable data that we have as an industry, the better."
SC asked several experts if possessing such data might be enough for CISOs to justify the value of security awareness training to the CEO, board of directors and other key business leaders.
Joanna Huisman, senior vice president of strategic insights and research at KnowBe4, agreed this would help that cause, explaining that there are three keys to establishing a security awareness program in an organization: “Ensuring that executives understand the relevancy and impact of how the program will favorably impact their specific business objectives, shaping the program to be paramount across all business objectives, and packaging the program metrics as an overall catalyst of managing risk.”
Tom Pendergast, chief learning officer at MediaPro, said the research was a “major step forward” because rather than just aiming to justify the value of a single security awareness solution such as anti-phishing simulations, the study instead makes the case for practicing security awareness comprehensively and holistically throughout your organization.
“Thus, the study provides a strong rationale for the more systemic training and awareness programs that leading analysts and vendors recommend,” said Pendergast. “In short, this research demonstrates that if you are serious about reducing human risk, you need continuous focus on improving your security culture. This is evidence you can take to your CISO to get the funding you need.”
But this is just a start. Experts say there’s even more data points out there that infosec professionals can potentially use to demonstrate the benefits of building a strong security culture.
For instance, even though Pendergast said the report endorses a holistic approach to security culture, much of the data was derived from an anti-phishing exercise; there is, he said, so much more to cyber hygiene.
Huisman also had some advice for CISOs trying to make a case. For starters, “focus on a few critical items of measurement that are meaningful and useful,” she said. A good place to start might be examining the correlation between security awareness training completion and employees with high percentages of phishing simulation click rates.
“Look at employees delinquent in their coursework with high phish-prone percentages to identify potential risk,” said Huisman. “Evaluate if your audience can spot a phish, and work with IT to see if they are reporting suspect emails either through the phishing alert button or through other communicated measures. IT can provide metrics on the frequency of what's reported in a post-training environment in order for you to compare with your pre-training benchmarks.”
Still, Pendergast said he’d like future studies data beyond just phishing sim results. “We lean on phishing because we have the data; however, we need to figure out ways to identify other behaviors associated with human risk if we’re going to tell the full story,” he noted.
Pendergast said that in order to get a more complete picture, researchers might, for instance, want to incorporate the findings of SebDB (from CybSafe), a cybersecurity behavior database that maps security behaviors to risks-related outcomes and maintained by security professionals and academics around the world.
But even with more data, "numbers alone are not enough," cautioned Wong. "They have to be viewed through the lens of each unique organization’s risk and security posture, as well as business objectives."
"I think that ultimately when it comes to selling c-suite executives on investment for security initiatives, it’s all about simple ways of explaining risk management in a way that relates to the specific business," she explained.