Could you imagine an airplane being flown by an untrained pilot? What if you were told that the pilot has never been trained in a simulated, realistic training environment? Thankfully many organizations have invested in training their staff using ‘real-world’ scenarios. In this blog, we explore why a similar training approach should be adopted for key roles in the cybersecurity field; from CISOs to SOC Managers, Incident Response Team Leaders, SOC Analysts and Penetration Testers. After all, the cybersecurity landscape is constantly changing in today’s digital society. Cybersecurity employees should therefore be fully vetted and highly trained to ensure that their organizations can focus on working towards their future goals while ensuring their business resilience.

Organizations may have layers of ‘top-notch’ cybersecurity technologies and well-written, great-looking processes. Unfortunately, they often do not invest enough in measuring and improving the human layer of the cybersecurity chain. The reality is that they mainly rely on the skills and past experiences of those hired. This highlights two key issues. First, the skills of onboarded cybersecurity professionals are rarely truly assessed, apart from interview conversations. If they are, the assessment is often based on highly subjective, outdated, and sometimes irrelevant assessment criteria.According to Career Builder research, for example, 74% of employers admit they’ve hired the wrong person for a position.

Furthermore, adequate cybersecurity training that truly prepares personnel and makes them cyber-ready is seldom deployed. For instance, the UAE Information Assurance Regulation requires the periodic identification of required cybersecurity skills (To-Be), assessment of the currently acquired ones (As-Is), identifying the gaps (As-Is vs. To-Be), and development of a comprehensive training implementation plan to address these gaps effectively.

Effective cybersecurity training, awareness, and education programs not only provide the required knowledge and skills but also reduce the rate of human errors. According to one IBM study, human error is the main cause of 95% of cyber security breaches. To put this into perspective, 19 out of 20 cyber incidents or breaches could have been avoided or better managed if the associated human error was eliminated or reduced.

According to the UK’s HSE, human errors may present themselves as skill-based errors (slips of action or lapses of memory) or mistakes (rule-based or knowledge-based). In the context we’re addressing, some root causes that create or influence human errors are the state of situational awareness, and the lack of required knowledge, skills and abilities.

However, there are contributing factors to human error that should also be considered, such as the behavioral and physiological traits of individuals (e.g. negligence, impulsivity, perception, misassumption, etc.) that could trigger human errors.

Organization-wide cybersecurity culture also plays an important role. For example, the seven C-CAT dimensions of cybersecurity culture as defined by Cybsafe are Trust, Justice & Fairness, Responsibility, Resources & Communication, Productive Security, Ease & Choice, and Community. Other contributing factors to the culture include the physical environment of a workplace, organizational policies (e.g. Work-from-Home, Bring Your Own Device, etc.), adopted practices around decision-making, multitasking expectations, etc.

Key Takeaways

Evaluating readiness to efficiently and effectively respond to cyberattacks requires several assessments and a variety of metrics across people, process, and technology capabilities. Organizations that aim to have assurance over their cyber readiness and resilience should consider investing in:

• Periodic cybersecurity training needs analysis (TNA), including the assessment of individuals’ knowledge, skills, abilities and other characteristics (KSAOs)
• Periodic cybersecurity awareness, behavior, and culture assessments
• Comprehensive and engaging cybersecurity awareness programs to promote cybersecurity hygiene, positive behavior, and productive culture across the organization
• Hyper-realistic training environments (e.g. cyber ranges), training labs, and other bespoke training solutions for fulfilling identified training needs

It’s true that humans are often the weakest link in an organization’s cybersecurity chain, but they can also be the strongest link if effective cybersecurity training and cultural improvement programs are in place.

Authors:Ibrahim El Abed,Sourav Guha Roy

References:

(1) Nearly Three in Four Employers Affected by a Bad Hire, According to a Recent CareerBuilder Survey:https://press.careerbuilder.com/2017-12-07-Nearly-Three-in-Four-Employers-Affected-by-a-Bad-Hire-According-to-a-Recent-CareerBuilder-Survey

(2) UAE Information Assurance Regulation v1.1 (March 2020), Controls M3.1.1 and M3.3.2.

(3) 95% of Successful Security Attacks are the Result of Human

Error:https://www.securitymagazine.com/articles/85601-of-successful-security-attacks-are-the-result-of-human-error

(4) UK HSE Leadership and Worker Involvement

Toolkit:https://www.hse.gov.uk/construction/lwit/assets/downloads/human-failure.pdf

(5) Meaningful Metrics for Human Cyber

Risk:https://www.scopeme.com/cybsafe/CYBSAFE-Meaningful+Metrics+whitepaper.pdf

Caption - Employees are often considered as the weakest link in the hashtag#cybersecurity chain. In this article, Ibrahim El Abed and Sourav Guha Roy cover some of the key elements of the human layer and also shed some light on the readiness to respond to cyberattacks from a human perspective. hashtag#cybersecuritytraining hashtag#cybersecurityawareness hashtag#CPX