The human risk factor in cybersecurity: how to assess and reduce it
Ensuring effective IT security represents a growing challenge faced by companies and organisations in today’s digital era. On the one hand, cybesecurity continues to evolve, but on the other hand, the human risk factor remains. Human error can compromise even the best protective systems available.
In order to meet these challenges, many companies have for some time been focusing on improving staff training and awareness. Meanwhile, the techniques used by criminals have also changed and become more sophisticated, making them extremely difficult to counteract.
Phishing, psychological manipulation and social engineering are the strategies most frequently employed by hackers. These approaches exploit users’ cognitive weaknesses in order to lead them to carry out dangerous actions with potentially grave consequences for the entire company ecosystem.
Managing the human risk factor
The answer to these problems is known as Human Risk Management (HRM), an approach based on the assessment and mitigation of vulnerabilities in staff behaviours. This process, which serves to create a detailed overview of employees’ awareness and behaviour, focuses on:
knowledge: testing their level of knowledge on topics such as recognising phishing emails, secure password management and data protection;
behaviour: identifying risky practices such as the use of unauthorised devices, unverified software downloads or not carrying out regular updates;
risk perception: understanding how seriously employees take cybersecurity threats and how carefully they follow security procedures.
By observing the points listed above, it has emerged that the complexity of the systems used tends to discourage employees, making them more likely to ignore security practices. It is therefore essential that organisations find new ways to simplify such procedures.
Facilitating the flagging of suspicious activities for example, can encourage workers to keep communications open. As well as reducing errors, it also incentivises active collaboration.
It is also important to emphasise that responsibility should always be shared. This means that each member of staff, regardless of their role in the organisaation, must be aware of their own impact on cybersecurity.
Cybersecurity culture: beyond awareness
The introduction of strict security regulations, such as NIS2 and DORA, encourages companies to implement better data protection standards. Nevertheless, respecting the rules does not in itself ensure the efficiency of the measures introduced. A proactive effort is therefore needed to make cybersecurity an integral part of company culture, by transforming the regulations into tangible, positive behaviours.
Developing a company culture which focuses on IT security is possible, but it requires ongoing training, practice and concrete experience. An effective approach is the use of realistic simulations of an attack (such as phishing campaigns), which are particularly useful in strengthening the reaction capabilities of staff.
Likewise, the use of gamification techniques (with elements such as classifications and prizes), can make learning about this topic more involving and stimulating. Other strategies include the use of deepfakes or other advanced techniques, which help to make the dangers more tangible, recognisable and current.
Artificial Intelligence (AI) supports the management of the human risk factor, by personalising training and monitoring behaviours. Via the analysis of users’ habits, for example, AI is able to identify any irregularities (such as signs of burnout or destractions) which could result in errors. Furthermore, highly developed tools enable the assessment of the compatability of these behaviours in real time and the flagging of potential breaches before they become incidents.
Regardless of the strategy chosen for staff training, it is important to underline that cybersecurity procedures must not be perceived as an obligation imposed from above, but rather as a shared responsibility and a common effort.
Translated by Joanne Beckwith