How human behavior research informs security strategies
In this Help Net Security interview, Kai Roer, CEO at Praxis Security Labs, explores the theoretical underpinnings, practical implications, and the crucial role of human behavior in cybersecurity. Roer explains why a comprehensive understanding of human complexity is paramount in today’s security landscape.
How would you describe the evolution from Security Awareness Training (SAT) to Human Risk Management (HRM)? Why is this shift significant for the industry?
Security awareness training comes from the old and debunked Rational choice theory that stipulates that if given a choice, the person will choose what they know is best for them. Or paraphrased, if you know better, you will always make that right choice. Yes, this is theoretical, so think of it this way: we all know that we should eat healthy, exercise regularly, not drink (too much), and of course, we should not be smoking.
We have that knowledge, and according to the rational choice theory, we would behave accordingly. The problem, as I am sure you can see, too, is that we, humans do not behave according to our knowledge. Instead, we find various reasons, beliefs, and excuses for doing something else. Ask a smoker if they know that smoking is bad for them, and most, if not all of them will agree that it is.
That is the exact problem with security awareness, it expects that as long as employees know better, they will behave better. So, as long as you train your employees, they will know better, and thus they will start to behave more securely.
And we all know that it does not work. This is why many organisations are looking for better alternatives to manage the risk exposed with humans, and thus the past decade of so, a growing number of researchers and practitioners are finding better ways.
This new way is drawing on more recent research, for example Kahneman and Tversky, Dan Ariely, James Reason, and one of my personal favorites, Richard Thaler. These researchers are teaching us that humans are created in a much more complex way than the rational agent idea above.
Instead, they point to factors like motivation, emotions, cultures, influence, power structures, and how easy (or not) it is to do a certain task. This complexity means that if we want to help employees to do the right things, education and training is just one piece of the puzzle, and many other pieces must be added and tweaked.
The Human Risk Management space is trying to embrace this paradigm shift, and create better and more efficient tools to help organisations to reduce risk and improve security. Over the past few years I have seen promising companies in this space emerging around the world, and I believe this is a much needed change in direction.
What risks are associated with misinterpreting or overlooking human-centered anomalies compared to technical ones?
In a reality where most security incidents are traced back to human factors (World Economic Forum suggests as much as 95%), it should be clear for all organizations that the human-centered risks need to be addressed. For example, humans are not computers, meaning you cannot change human nature by patching or upgrading.
Instead, you need to work with the behaviors and the psychology that humans are built with, and use them to your benefit. For example, when social engineers are manipulating your employees to share credentials (a real risk, that happens all the time), your approach should be to mitigate that not only by phishing assessment and training, but by reviewing the whole implementation of security at your organization.
Ask yourself questions like “how easy is it to access our systems with a username and password? What can I do to harden our systems? What can I do to prepare for that incident? How can I tune my organisation to be better prepared to handle the incident when it happens?” These questions are not the same as asking “How can I teach employees to be more secure”, or “How can I stop employees from clicking on links” because the latter question is based on a flawed assumption on your part – I can change how people behave.
Instead, you should understand that the way people are created (biology), humans have behavioral patterns that cannot be changed. These patterns create risk for your computer systems, for example by hackers gaining access by tricking an employee, against that employees will and best intentions. This risk is inevitable, and you can never remove it completely.
Instead of wasting your efforts on doing so, you should be focusing on making your organization ready for the incident and prepared to deal with it quickly, effortlessly, and effectively. Understanding human behaviors will help you fine-tune your security controls and adjust your expectations on what is possible.
In terms of the analytics component, how does incorporating research on human behavior and influence provide an added layer of insight for organizations?
A large body of knowledge on human behaviors has been produced over the past decade by researchers worldwide. My team and I have contributed to many seminal papers.
The main reason to research this topic is to figure out how to deal with it, a riddle that our industry has not yet been able to solve. The interesting thing is that academic research exists describing both how humans are, and how to help humans improve their behaviors, understanding, attitudes and so forth. We apply that research to our analytics and interpretations of the data to create relevant meaning. For example, you have an employee that clicks on a phishing link, and shares their credentials in one of your assessments.
Is it because the employee is stupid? Don’t know better? That they don’t care? Perhaps you believe they do it on purpose? These are all arguments I hear from security professionals. However research suggests that other things are at play. The job role has an impact – if your job is to regularly open documents for review, then you are more likely to open documents, right? Your working platform has an impact – using a mobile device often makes it hard to review the message to discover red flags, and in addition if using a mobile device, the employee is likely to be traveling or otherwise distracted. And what about stress?
Stress has a huge impact on behaviors, and it can be easily triggered.
Research is important because it provides better, but not necessarily perfect, answers than those we have typically applied in the industry. Adding research-based knowledge to our analytics enables better, more relevant insights, and thus makes it faster and easier to understand what is going on. We also leverage research in our recommendations – this makes it much more efficient for security teams to know how to improve security.
How does maintaining a historical record of human behavior data help organizations in long-term cybersecurity strategies?
Behaviors change over time, and being able to track that change has a lot of impact. For example, in case of an incident, you can leverage the historical data for a post-mortem and investigation.
Suppose a breach happens, and your cyber insurance company requests a report of what you have done to mitigate the risk before the fact. In that case, you can back your interventions and controls with how they impacted the behaviors of the employees over time.
In day-to-day operations, you can leverage historical data to create KPIs throughout the organization and track how teams, business units, and even individuals are improving over time. And, of course, historical data allows for trends to be discovered, and based on trend dana, we can visualize and project how the security posture changes over time.
Can you explain the core functionality and unique features of Praxis Navigator and how it aids in reviewing and analyzing human behavior data?
Praxis Navigator is leveraging the customers’ existing data. It connects to sources like the Microsoft Graph API, where we tap into data from incident logs and alerts, to name a few. This existing data is, as many of the readers can relate to, both very rich in detail and quite hard to work with – it is not made to be easily used by humans, it seems.
With the data available, we run them through our “human lens” and create views that make it easy to discover human behaviors throughout the organization and thus identify areas where security may need to intervene. These areas can be further explored, and we add interpretations and context based on a combination of the existing data, available research, and our subject matter expertise. All is built into the analytics and visualization.
By now, you have insights into human behaviors and risk across your organization, and this is how most tools end. My team and I have some unique expertise and research projects in our background that we apply at this stage. Based on the data and analysis, we now provide the customer with targeted recommendations based on what they need.
How does the Terrain model enable security teams to identify problematic and commendable organizational behaviors?
The Terrain Model visually represents human behaviors across dimensions like time, team/individual and risk. The unique feature of the terrain model is how it makes it easy to identify areas where employees exercise risky behaviors. Our human brain is much better at detecting visual clues than trying to find patterns in log files and across thousands of events. We apply that knowledge and make it easy to identify areas for improvement.
The terrain model is also designed to leverage data from any number of sources, from external factors like geopolitics and global security, via your technology stack, all the way to qualitative and quantitative input, from, for example, HR systems and questionnaires.
How does the Praxis Recommendations differ from other solutions in providing actionable insights based on human behaviors?
The recommendations are created based on research into human behaviors, security, and organizational transformation, and draw on a vast body of knowledge. We could have used my opinions and subject matter expertise and be happy with that. But I am biased and may not know it all, so it makes much more sense to leverage the available academic and industry research to inform the recommendations.
We differ because if we have an idea of something that may work, we look for research in that area. If we find nothing, we set up our own research project, and learn if that idea has an impact. Only then do we implement it at scale. And to make sure that our learning benefits as many as possible, we publish our research of course.
Can you explain the role of connectors in the Praxis platform, especially in terms of its integration with other systems like Microsoft Defender?
We believe that most organizations have more data than they can successfully leverage. The problem is not lack of data, but making use of it, and then making sense of it. Our approach is to make the available data approachable by a human – to make it easy for a human to understand what is going on.
We connect to existing data sources that contain traces of human behaviors. One example is Microsoft Defender, which is a trove of human behavior-related data. Anyone who has looked at how that data is presented is likely to agree with me: you need to be a specialist to read any kind of meaning into it. And that defeats a large part of its purpose.
To make matters worse, Microsoft Defender is just one source of interesting and relevant data. Your network is brimming with data, but each vendor has its own take on how to present it, what to include, and how to access it. Our connectors are like translators between a vendor system and our analytics engine and allow us to connect to a growing number of data sources while aggregating the data in one format and structure. This approach makes running our specialized analytics and algorithms much faster and more reliable.
What, in your opinion, are the most compelling value propositions of the Praxis platform for potential customers?
We help customers make sense of their existing data by bringing our highly specialized analytics and interpretations based on the latest research. But by the end of the day, I believe that most customers will value the recommendations the most. Data is good. Insights are great. But nothing speaks louder than action. And the Praxis recommendations tell you what actions to take next.