Let’s try to visualize a high-risk employee. What do you see?
We all know some employees are considered more high-risk than others. These are the ones who fall for cyber-attacks more often. In fact, in many organizations, we see that a very small group of less than 20% of the overall employees is statistically responsible for the majority of the risk.
In order to properly support this group, and modify their behavior or our response, we first need to be able to identify it correctly, based on defined rules and data.
Without data, our mind often makes assumptions. We might perhaps think that older people are more prone to falling for phishing scams because they are less tech-savvy, or that younger people are easily distracted, and since they pay less attention they could more easily be caught out. These assumptions may or may not be true, but either way, they don’t allow us to say anything meaningful about our organizational risk landscape. For that – as we said, we need data.
Identifying and Calculating High-risk Employees in Security Awareness Training
It can feel like an urgent task to identify and control high-risk employees in any organization. After all, a single high-risk employee is enough to lead to a large-scale data breach or cyber-attack. It only takes one person to click on the wrong link to cause serious harm. This unequal risk is important to take seriously, but the process for identifying, calculating, and controlling high-risk employees needs to be considered carefully.
Some organizations will measure high-risk employees by sending two or three simulations, catching the employees who fall for those, and marking them as high-risk. However, this could be completely random. The staff member who was home sick that day will be marked as low-risk, while the person that got the more difficult simulation will be marked as high-risk. There is a lot of context in phishing scams and a lot of dumb luck. If an employee receives a phishing email that says their flight is delayed, on the exact day they are due to fly – they are far more likely to click on that link. That doesn’t automatically make them high-risk. It’s just context.
To separate out the real answers, you need continuous testing, with at least 10 or 12 data points a year. This allows you to sift away both the non-appearances, and the contextual discrepancies, and get the clean data that you need to truly measure high-risk. Once you have the data, the actual high-risk group needs to be calculated using a strong formula and algorithm that can measure risk in an effective way. Each simulation can’t be balanced equally for example, as clicking on the first email says less about the employee in question than clicking on the twelfth, in terms of learning and growth.
Now You Have Your High-risk Employees… What Can You Do About it?
The truth is, our data shows that most employees will learn, despite some taking longer than others. Chasing these employees with sanctions or forced training doesn’t do much good, because learning doesn’t work that way. Chasing lower-performing employees doesn’t make them high-performing, and you will always have high-risk employees, that’s just the law of averages! It’s important to accept that the goal isn’t to have 0% high-risk employees – as this isn’t possible.
Instead, we need to ask – how much risk is too much risk? Look at your high-risk employees and measure whether they are learning, and learning at a good pace, rather than if they are learning faster or better than others. This will help you to ascertain if your security awareness training is going in the right direction.
If you get to the point where you’ve minimized your high-risk group to a healthier number, and you’re still concerned about their pace of learning, this is the point where you can harden your security in other ways, such as putting controls over these high-risk employees’ machines or access.
How to deal with the challenges of high-risk employees? Read the full video transcript here:
It’s not about the average click rate
Organizations are faced with three challenges with high-risk employees. How do I identify this group? How do I minimize the group? What do I do with the employees that are left in the group? To identify the high-risk employees, you need enough data points. It’s not about the average click rate per employee. An employee clicking two out of three simulations is not high-risk, is just a beginner. For instance, we only use at least six simulations to be able to say that someone is in the high-risk group. Once you have enough data points, you can build high-risk KPIs on identifying behavior within phishing simulations.
Train your employees continuously
You have an actual size of the group and you should expect to begin your phishing simulations with around anywhere between 5 to 25% of the employees being high risk. Then you want to minimize them. It takes training. Now, some employees need six different simulations to reach their end game. Others need 10 or 12. You need to train your employees continuously and maybe with the high-risk group, you need to train them even more. Ideally, you’ll do this automatically in the background, just train them more. This way, you’ll be minimizing your group into a manageable proportion of the organization. You should expect that after a year, that will be anything between half a percent to two percent.
You have other tools than training
You have to remember that as security officers there are more tools available in your toolbox other than training. You can identify those named employees and maybe harden their laptops. You can enforce strict policies on their web access. You can do a lot of things that you cannot do with every employee so with a continuous awareness program, that is what you do. You’re able to identify the high-risk employees, you’re able to minimize that group, and for those that are left in the group, you’re able to contain the risks associated with them.
Want to see the CybeReady algorithm in action? Schedule a call.