Transcript
We were just discussing what can we do to make the audience more engaged. Would we like to do a little dance together right now? Because we understand it's the end of the day. And it's been a long day. We are literally at that you can call home stretch. We are that barrier between you and the fantastic party that has been planned for you. But what we thought is that maybe we can try to make this session light, interactive, and most importantly, worth your time. So on that note, very quickly, I'm Kanu, the product marketer at SoSafe. And I'm thrilled to be here with Lisa, the product manager at SoSafe. In terms of product, we both work for Human Risk OS and SoFi. So in case if you have anything around insights and interventions that you would like us to ask, please find us on product zone tomorrow. What we have done in terms of agenda considering is the last session. We have tried to keep it very, very simple. And as I said, let's make it interactive. We are happy to be answering your questions that are there. And we would also love to understand your challenges that you are facing when it comes to managing human risk. Our topic is going to be 3Ms of human risk management, which is monitor, measure, and mitigate. And you know why we think this is super critical? We all know it. What we can't measure, we really can't manage it. And more importantly, the whole challenge of human factor, the people part of cybersecurity is getting more and more critical as the threat landscape is increasing. In case if anyone has some energy left, would love to know what features do you see of a strong security culture? Anyone? And yeah, please, of course, not password 1, 2, 3. But anyone would like to answer this for us? Sure. Thank you. Anyone else? That was people who report incidents. Yeah. Proactive engagement. Perfect. Thank you so much. Thank you. Security what? Champions. Yes. That's a good word. Thank you so much. So yes, all of this is absolutely correct and more. So these are some of the examples of what we can call a strong security culture. And, you know, I mean, being proactive about risk management, being very vigilant, encouraging your colleagues and teammates to be adopting security behavior and more. In summary, if I have to summarize the slide, what we would like to call it is that instead of just being security aware, if your team and you are security engaged, then let's call it a positive trait for a security culture. Are these all theory? Actually, no. You know, if we go by survey, 94% of security leaders prioritize building a strong security culture. And why do we think this is important? Because finally, you know, people are the front line. Whatever compliances and policies and regulations we develop, but if everybody is not on board, things fall. We all know this. And here is some data for us to substantiate that. While 94% security leaders were prioritizing the whole security culture and it was a top priority for them, but here's a quick reality check for all of us when it comes to security pitfall. You know, summing it up on the left-hand side, what you see is despite the awareness and willingness, more than 60% of our employees and teammates are actually, they end up falling prey, they end up adopting security practices that we will not call so perfect. For example, people do save their passwords directly in internet browser. They still click emails and links from suspicious email IDs. And if we have to, going by Gartner data, almost 93% of employees actually acknowledge, they agree that they have ended up contributing to risky behavior, sometimes intentionally, sometimes unintentionally. So, I mean, we all know that managing human risk is not that easy. There are a lot of challenges that are practical and there are many, many, many reasons for it. But if we have to speak about it, there is so much of workload and pressure amongst all of us, specifically security professionals, that employees do end up making poor choices despite all awareness and willingness. To add to that, you know, this whole cyber security landscape is not easy to understand. The terms are very complex. Not everybody understands this much technicality of it. The third one, which is super critical, the quantification of risk still remains a challenge. What happens is that there's so much of talk, there's so much of jargon, but are there numbers that we can chase? Are there numbers that we can look at and understand how to drill down further? What kind of impact it is creating? Are there things that I should focus on when it comes to quantification of this? That quantification part is still missing in many, many organizations. And needless to say, we all know that with everything that is happening around us, the cyber security landscape is getting more and more complex. And thanks to AI, it's actually at a speed that we all just do not understand what it is. So what's the need for our? We all know it. I think you all would have been listening from different speakers, right from our keynote to DG session, to all the product masterclasses that we attended, that there's a need for holistic human risk management. And what do I mean by this? This is the perfect time for me to quickly speak and introduce you to the 3M framework. What do I mean by this? Of course, monitor, measure, and mitigate. So observe. It starts with observing. Monitoring starts with observing where things are falling. Where are the pitfalls? What is it that I can do? Then measure. Quantify the risks that we have. What is the impact of it? Is there any number that can help me track on what it was yesterday versus what it is today? And most importantly, mitigate the overall management aspect of it through target intervention, personalized recommendations, and more. So with that, I would like to pass it on to my colleague, Lisa, who is going to be helping us understand how do we actually practically implement this 3M framework through our products like Human Risk OS, which we are personally very excited to build and bring to you, and also introduce us to some behavioral science principles that is going to help us understand how to bring the human factor in front of our overall security practices beyond compliance and regulations. Thank you. Over to you, Lisa. Thank you so much, Kanu. All right. Let's take a look at the Human Risk Operating System. I talked, I recognize some faces. Some of you have already been at the product zone about insights and HRS. If I repeat myself, I'll quiz you on it tomorrow. All right. But the Human Risk Operating System is our attempt to bring the human element, to make that hard-to-detect human element of cybersecurity visible across the data that we get from our own SoulSafe products and also from integrations from your tech stack. So we are trying to visualize the human element. And we do that by, like, that's the monitor piece of it. And then we measure it. So here's a quick look at what we are doing with the human security index, the human operating system. We are measuring different types of signals across a couple of dimensions, awareness, behavior, and culture, which we call the ABC scores. So we monitor signals across data sources. We measure them as in we translate them into a scoring system. And then we offer you behavioral change-based interventions to mitigate the risk that we see in the data and in the behavior of your workforce. And for that, we are, or the long-term goal there is that over time, as we work on this together, we transform your kind of reactive cybersecurity culture and posture into a proactive one. And we're going to take a closer look at how we do that now. So let's take a look at the score aspects first. I just mentioned the human security index. That's our overarching score. We'll see that in the demo as well in a little bit. But the score is computed out of three different aspects, the ABC scores, awareness, behavior, and culture. You can almost blank on that for a second. But so what awareness means is what should your employees know from how they answer their learning assessments, how timely they are with their overdue required models and so on and so forth. What should they know? And then we go to behavior where we say, based on what they should know, are they using it correctly in practice? Do they click correctly in the phishing simulation emails? Do they actually use multi-factor authentication or do they try to avoid it? How do they behave? Do they apply the knowledge that we think they have based on the awareness scores we see? And then lastly, culture. How do they feel about cybersecurity? That's what Gundy said in the presentation earlier. Culture is a very important and tricky to measure. The idea there is what is their attitude towards cybersecurity? What are their beliefs around cybersecurity? Do they know that they have an individual responsibility to keep your company safe? We know that cybersecurity at this point comes down to individualized attacks, right? Social engineering, someone from the finance department plugs in a USB stick. It's down to the individual, but does the individual know that they have as much risk, as much impact, as much of a job in protecting all of you? That's what culture is. So between those three, we calculate the Human Security Index to give you an at-a-glance view at how you're doing, how you're performing over time from a human security or human risk perspective. And before I go into what do we do with that data, how do we actually change the behavior and the attitudes we see, let's talk a little bit about behavioral science. There are three behavioral science concepts I want to walk you through today. First one, social proof. We love knowing what others do. When we are in uncertain situations, we're unsure of what choice to make. We look to someone else and see have they made a similar choice before? Can I rely on expertise in my peer group? And it's a very interesting one because we're all, you know, we're all a little tribe-based. So one example for that is very simply, excuse me, e-commerce product ratings. Is this coat warm enough? You know, but also another example might be our own SoSafe product rating of 4.9 of customer satisfaction on Capterra. We want people to know that by using social proof, we let people know that this is a reliable choice to make. Others have made this choice. If you make this choice, you belong. It's a very, very interesting psychological treat that, right? Next concept, nudging. Nudging is an attempt to lower the mental load that it takes to make a decision. We don't push you toward a decision. We don't make the decision for you. We don't punish you for the decision we want you to make if you don't make it. We just nudge you toward it. An example in behavioral UI design are password strength indicators. You've all seen them, right? You put in your usual password, and there's a little progress bar at the bottom that says, actually, that's kind of weak. Don't you want a strong password? Don't you want to be more secure? Maybe you add a couple, like, symbols, numbers, whatever, to go all the way to green. That is nudging. And then last, but definitely not least, positive reinforcement. That one is so deceivingly simple, yet so impactful. The idea behind that is if you made a choice and you made a good choice, and someone rewards you for it, your boss gives you a well done, a video game gives you an experience point, SoulSafe gives you a badge, it pulls on your reward system in your brain. You want to make that choice again. You want to get a reward again. It is very simplistic and also extremely effective. So by putting all of these concepts together, these and many more, there are dozens of behavioral science concepts that I'm sure Gundi is happy to talk to you, too, about, and we can talk about them more. By putting them together and understanding what drives human behavior and what drives decision making, you then have the opportunity to intervene, to foster the behaviors, the attitudes, the beliefs that you want to see. It might sound a little manipulative, but it's really not. We're just nudging. We're just positively reinforcing. We're not being weird about it. But that's the idea of we understand, we help you understand, why does it take your employees so long to complete your learnings? Do they understand what impact they have on security? We help you understand that, and then we help you apply the behavioral drivers that we think are going to change their behavior and foster the behavior you want to see in the workforce. All right, let's take a look at the Human Risk OS. You might have seen this demo if you were part of the product keynote, so we're not going to spend too much time on it. But what you'll see, this is the current version of our human risk operating system. Yeah, that's a word. On the top is the one KPI to rule them all, the human security index. It gets broken down into the three score aspects. And then below that, you're going to see the events table. So you actually see a list of all the security signals that drove the impact of the scores. And to the right of that, you'll see the interventions that we recommend you take to change the behaviors. This example here is a positive reinforcement example. It was kind of fast, but the intervention said, praise your security champions. Maybe some of your departments are actually performing really well. Just send them a quick note. That note can come via Sophie, our chatbot. It could come via email. It could potentially be signed by your CISO to make it a little bit more personal. So in this example, it's probably hard to see. It says, hi, Jenny. Good job killing it on the recent security assessment or whatever it might be. This is not something that will go to everyone so that people start hating Jenny. This is something that will just come to Jenny as a little recognition of how she's been doing, how hard she's been trying to keep the company safe. All right. Then, save us all some time, start wrapping up already. To bring all this back to the 3M framework that Kanu talked about, monitor, measure, mitigate. We're monitoring different signals across behavior, awareness, and culture through both our internal SoulSafe tech stack as well as external integrations that are fully optional if you don't want to feel surveyed by them. Then we measure them. We apply the human security index algorithm to calculate the right data. Actually, let me throw something in here that I've been asked today. How smart are these scores? The behavior score, for example. Some of you might already be using our phishing simulation. And that has an analytics dashboard as well where we see the click rate. But click rate is a tough metric, right? Because if you change the difficulty of your phishing simulations, click rate will go down. That is expected. But it looks bad when you look at the data over time. What we do here with putting on top this human security algorithm in our behavior score, it's weighted. That means if someone fails a hard phishing email, that actually counts less toward the score than if someone fails an easy phishing email. And vice versa, if someone succeeds at a hard phishing email, that counts more. That is more important and more impactful. So this layer of sophistication makes the analytics just gives them a little more depth. All right, so that is the measure part of it. And then the mitigate part with the interventions, changing behavior, fostering lasting behavior change, and transforming into a proactive security stance. All right, and then if you're ever curious about what's next for the human operating system, come talk to us. We have a very, very exciting roadmap where we talk about what other integrations, what other signals do we want? How can we evolve the culture score to make it more sophisticated and to make it more dynamic? Do we want to use Sophie as a culture pulse check tool, for example? Also interesting to a lot of you, comparisons and benchmarks. How do I rank up, stack up against other players in my industry? How are their employees doing across the human security index? So there's a ton of very interesting stuff on the roadmap. We're happy to talk to you about it. And we also have a Lighthouse program. If you want to try this, come talk to us. And we talk about a proof of concept. And that also gives you exclusive roadmap insights, of course. Thank you so much. Thank you. And our last wish would be that this whole 3M framework, let's not keep it as one of the checklist. Just like we follow policies and regulations, let's keep it as high click and iterative effort. Looking forward to see you all in our insights and interventions for tomorrow. Thank you. Awesome. Thank you so much, ladies, for joining us today. We all appreciate probably that we're keeping it a little short as the last session of the day before we get our treats. Because with all the cookie references today, I want a treat now. Before we get there, though, does anyone in the audience maybe have a question? I see a hand right here. And the microphone is coming. So you had the... Oh, was it for you? No, no, you have it. We had the intervene section. And you talked about some measures, some measurements we have. For example, a lot of people are using their personal email account on the work device or even Dropbox or something like that. On intervene, should we intervene on the culture or should we intervene by saying we block all Gmail or Dropbox? I have a colleague who said, OK, if security is blocking it, I will find a way to make it work because I need it. Right. So more focus on the culture? I think so, yeah. Because that is a good example of do I understand the why? Do I understand why I shouldn't be doing this? I mean, I like a good workaround myself. But if I know what the actual risk is, how do I... How does this make me more of a risky person for my company? Maybe at some point you'll see what your risk factor is and you see your individual risk factor go down because of what you did. That might make more of an impact than actually trying to lock it down. Also, trying to lock everything down. Humans are so inventive. They will always find a workaround. So yeah, exactly. I would call that a behavior measure or a culture measure. Exactly. Any other questions? I see a question up there. Florian is coming with the microphone your way. Good eyes. We had the example of a grandma of our colleague speaking in the video earlier on. So she was attacked, so to say, by voice phishing. And how do we want to measure this? Because now we do have click rates, we have e-learnings that people are doing, etc. And when we do focus on monitoring things like that, is there something we have in mind that we can measure this part as well? I'm starting to think about phone provider integrations and text provider integrations. Like, this is not on the roadmap yet. Yeah. Public. No, no, no. But it's an interesting concept to think about, right? How do we get that data? Because that culture, that context is extremely important because it affects security so much. But we don't have a SoSafe tool to pull that from. But we do have other providers to pull from. Maybe at some point we do interface with a phone provider. And I'm trying not to look at my SoSafe colleagues so they don't, you know, it looks cuckoo. No. But to see how many spam calls does this person get? How many of the suspected spam calls might they answer? Is it something to think about or something that I'm thinking about? And it would be cool if we could get there. Closer on the roadmap is email security providers, like email, like Proofpoint and so on. And also, of course, our own phishing report button where we want to have that feedback loop of how often are phishing emails, how often are there false positives, false negatives? How many emails do people have to deal with? How does that factor into their stress levels, which might then, again, increase the risks and so on? So there's a ton to think about there. Nothing planned yet. And, oh, it's over here. Thanks. Thanks. Have you seen other or heard plans about other behavioral indicators, KPIs, to measure through integrations in the tech stack? So other behavioral or other behaviors in other applications or other elements of the landscape? Sounds like you have something in mind already. Not concretely. Yeah. No, absolutely. Let me see what I can fish out of my brain at this time of day. Can you chime in if you have any ideas? But behavior-based, I mean, what I'm thinking, phishing is one thing, right? Like simple, like clicking, non-clicking. MFA, adherence, for example. What else? Phishing is one. And please check your attachments. We're just tired. Yeah. No, so behavior is a strong concept for us. We are working on it. We do have, we have just started developing this product and now thinking of integrations. So we do have a fully planned roadmap yet. We'll be publishing it for everybody soon. Yeah. So the focus for integrations is identity and access management. Seeing how do they log in? Do they have insecure login behaviors? Are their passwords secure across the board? Do they repeat passwords? So that's one. The other, like password management included there as well. Then we are looking at threat intelligence tools. We just introduced PRB, phishing report button for that. The integration of PRB. Yeah, right. Yeah, yeah, yeah. For the feedback loop. But then, yeah, password security, for example. Threat intelligence, like how loose are they with their company email? How often does their company email show up on the dark web? That will also factor into the behavioral part of it, for example. And then email behavior. What other categories do we have? Nudge, phrase, email behavior. Yeah. These are the three things that we have released just now. Nudge, phrase, and phishing report button integration for the email security. A lot more to come. Yeah. And we are going to share the integration categories, like the vendors, like proof. That's the other one. Endpoint protection. What actually happens on an endpoint level? How is the incident response? That all factors into behavior as well. Again. Yeah, hi. I'm actually doing research. So also, we're working together with Kano and Lisa on that. We do have a survey regarding the tech stack to prioritize exactly this topic integrations. So if you go to the product booth or just come up to me, I'm happy to talk to you about those topics. And in the product booth, at the back tables, there are small paper stands. And there's a QR code on it. It says tech stack survey. Fill it out. And that will help us prioritize also the roadmap on integrations. So all in all, a very good topic to pick up tomorrow morning in the product corner. Any other questions? OK. It doesn't look like it. So thank you again, ladies, for joining us tonight. Yeah, it's tonight at this point. Yeah. You're around in the product corner, I'm guessing, tomorrow. So people can find you there? Perfect. Thank you again. Thank you. I'd love to thank you.
