The Human Factor: Quantifying Human Risk - Sara Anstey

all right cool thank you um Okay can everyone hear me okay that makes all awesome um yeah so today I'm going to talk about um this concept of quantifying human risks seeing if that's something that's even doable and how we can potentially Do It um but just to give a very slight background of myself um I happen to find myself in cyber security but really um have more of a math and statistics background so I consider myself like a data scientist data analyst statistician um and that's what I I went to to college for um this reminds me a lot of being in college being an electure Professor Hall like this um but I in another world would

have loved to also major in like psychology or something because I think it's so fascinating why people make the decisions that they make um which will kind of be a bit of what this talk gets into but just bear in mind throughout this um this presentation that yes I have been in cyber security the last 7 years now but um if it's a lot more data and people focus that's kind of why and I think that we need that intersection between disciplines sometimes so today I'm going to start off with a definition and then I'll try to be way less boring than that the rest of the talk um like what is human risk management right um

it's basically this concept of how can you respond to human caused risks or incidents in your organization right so when someone clicks on a fishing email or they do something that they shouldn't be doing or they're browsing to insecure websites or doing all the these things right human cause risks in your organization so this concept of human risk management is a bit of a newer term I guess in the industry um just looking at more of a holistic approach of how can we manage that human risk that all the employees at our company are bringing so historically what has this looked like AKA what is every single Bank Healthcare any company do for human risk management um I would say it's it's

very compliance driven um activities so it's usually simulated fishing emails and annual security awareness training right everybody does that um it's pretty simple pretty easy stuff I've really yet to come across an organization that doesn't do at least those two things and like I said I would say it's much more of a compliance driven approach right it's it's something that people have been doing for 10 plus years I don't really think the world of security awareness training and fishing has evolved that much in terms of just simulated fishing um I mean it has a bit but this is really like your basic security awareness training I would think that everyone does this um we've seen content get a

lot more maybe engaging a lot funnier I know that um like I think some of the content libraries like Nova for and stuff hire SNL actors and stuff to do these annual security awareness training videos right but for the most part it's still just really these two activities so what I really want to talk about though is this idea of human risk quantification um which sounds like a big thing so I I want to break it down a little bit into to what is human risk quantification what is this next idea of how we can evolve this management of human risks so if we break this down bit by bit start with risk okay so what is a

risk right I personally think that if you had a room of 50 GRC or risk folks every single one of them would have a different definition of what a risk is and they would all think each other are stupid um for for their definition so my personal definition agree or disagree of a risk well risk in cyber security to me is just like a risk in life right where the way I would describe it is a risk in life is anytime you're doing something but you don't necessarily know what the outcome is right like there's some type of unknown outcome and the reason I say that is because you know if I'm going to go skydiving and and I think my

parachute is going to open but I'm not 100% sure CU I can't look into the future right I am taking a bit of risk with that it's a slightly at least risky decision whereas if I'm turning left or right on a highway for no particular reason that's more of a decision I know the outcome I'm either turning left or I'm turning right right but a risk is something where there might be a decision involved but you don't know what the outcome is going to be so a risk in cyber security where we don't know if we're going to get breached we don't know if you know a fishing email is going to come in this and that it's

kind of the same in life where there's just unknowns right which whenever we're talking about unknowns it kind of brings up this question of can we possibly measure or quantify an unknown it it sounds like a bit of a a weird thing right if if we're saying inherently that risk is something unknown then how could we possibly measure or quantify that right so let's get into the next part of this human risk quantification which is the bigger and scarier word quantification right and and what does that exactly mean so for that I want to take a little a little Sid trck and let's look at a risk Matrix like this which probably everybody has seen in their life probably every

organization to some extent still uses this type of of risk Matrix right so you're rating something on a low medium and high a green an orange a red scale now a lot of you would easily say Okay low medium and high we know quantitative means numbers right we know that that's not a quantitative approach okay but what if we rated on a scale of 1 to five right is that a quantitative approach so we say you know one would be super unlikely and five is very likely okay so now a lot of people might say well that's moving to a quantitative approach but let's take um one more step into that and let's say that I'm a data

analyst who is tasked with understanding my risk of getting breached in the next year and I decide well it's always better to ask two people versus one if I'm trying to get these estimations so I'm going to ask my CTO and and my seeso what do you think our our chance of getting breached in the next year is on a 1 to five scale they're like okay so they're thinking so the ceso is like yeah you know we've been doing a pretty good job and we've been implementing all these new things and these controls and the ceso is thinking to themselves and they're like you know there's probably like a 3% chance that we get breached in

the next year so they'll rate that a one on a scale of 1 to five okay great then I go and talk to the CTO and the CTO is like well you know the cesa is an idiot and this and that and all these attacks and blah blah blah right and they're thinking to themselves well there's probably like a 17% chance we get breached in the next year okay so they rate that a one on a scale of one to five so both the CTO and the suo are in agreeance that there's a one on a scale of one to five chance we get breached but as us in cyber security know there's a very big difference between a 3% and a

17% chance of something happening or that you get breached in the next year right and so this is an example of something actually not being quantitative when it seems like it is right it's introducing what we call analysis Placebo because of this this idea of range compression where because we're compressing into these ordinal ranges 1 2 3 4 and five we're actually taking Precision away from the measurement right we took away the Precision from 3 to 177% whenever you have something like that going on it means you're not necessarily looking at something quantitatively in nature and I promise this will come back and be relevant in a minute but that's this idea of um what

we call actually an ordinal scale right it has an implied order kind of like 1 2 3 4 5 red yellow green but it's not quantitative in number or in in nature and something can be a numerical ordinal scale where it uses numbers as is 1 through five but it's still ordinal and the best way to identify if you're using one of these scales if you can replace one with improbable and two with seldom three with occasional right four with likely with highly likely if you can replace whatever numbers you're using with some type of word or symbol then it's probably not a quantitative scale so just to call out why Quant why non-quantitative scales can be even

worse let's say I'm using this risk Matrix and I'm looking at risk a and risk B so risk a has a likelihood of 50% and an impact of $9 million risk B has a likelihood of 60% and an impact of $2 million right simple expected loss super easy to calculate we can see risk a is 4.5 million versus risk B being at 1.2 million but now if we're using non-quantitative scals right like a risk Matrix just like the one behind me which I didn't do anything weird or crazy to you can see risk a gets rated a medium and risk b gets rated a high so now not only are we taking away Precision in our measurement

like in the 3 to 17% example but we're actually getting a worse understand understanding of our risk just because we're not using quantitative scales right and the reason that happens is people start using one through fives thinking their quantitative and then adding a one plus a two to get a three which is like adding two regular users to get an admin user right you can't actually do math like that so it starts to really throw off measurements we'll get back to that okay so we covered risk we covered quantitative let's talk about humans for a minute um then take another little side here and I just want to talk about um whenever if you've stayed at a

hotel before okay and I I travel a lot I stay at a lot of hotels right and in the bathroom you'll typically have a plaque like this and it's like help us Save the Planet reduce re recycle whatever um you know don't wash your towels or like if you leave your towel on or if you hang your towel back up we won't wash it it's great so you guys are probably all seen this in like every hotel and well I would love to think that hotels really care about our environment and being green the reality is they really want you to reuse your towel because it saves them a lot of money right they don't

have to now wash a towel they're not paying for the labor to do that they're not paying for the water the electricity so it's very advantageous for a hotel for you to reuse your towels so they've got these plaques everywhere right and they did this experiment um an AB study a hotel did where they took half of the hotel rooms and then the other half of the hotel rooms and they put the the plaques in but just with different wording on each of the plaques right and anyone who was staying at the hotel didn't know this experiment was going on so just a blind AB study okay so in half of the hotel rooms they wrote 75% of

guests in this hotel reused their towels okay on half the PLS in the other half they wrote 75% of guests in this room reuse their towels okay so literally a one-word difference on a plaque that I don't think anybody really reads or at least I know that I don't so you would think of course changing one word on a plaque that nobody reads wouldn't have any effect on human behavior but of course I wouldn't be showing you this example if that were true so if we look at the results when the plaque said in this room people the hotel guest used on average one towel per person and when it said in this hotel they used on average

1.6 towels per person which might not seem like a lot but statistically this is a 40% reduction in towel usage okay so why am I bringing this up this shows unequivocally that changing one word on a plaque that not that many people read can affect human behavior by 40% okay so why do we care about this in cyber security well for years and years and years we've all seen statistics that say 82 or 85 or 83% of breaches are caused by humans right or there is some type of human enacted cause for a breach happening the Verizon data breach report the IBM cost of a breach report have all showed these statistics year over year

and not only are 80 plus per of breaches being caused by the human element but that number is not trending down which tells us very importantly that we are failing to understand human behavior in cyber security if we're saying that something as simple as changing one word can affect human behavior by 40% then why aren't we why aren't we fixing that number why is that 80 plus % not coming down right and this all Loops back to because we're using those traditional techniques of fishing simulations security you know annual security awareness training and clearly the data is showing us that it's not working right so let's get back to human risk quantification how can this help us use

data and use human behavior to potentially change that 82% number so I'm not saying we need to stop fishing simulations and security awareness training they're probably going to be required by insurance and compliance driven things for a long time we can keep those it's fine but we need to start moving to this 2.0 approach and moving away from just basic security awareness training to human risk management which involves adding some type of metrics framework so starting to actually gather all the data of what humans are doing in your environment right can we see the data on when someone is actually browsing to an insecure website or when they send an unencrypted password in slack or or what

about when they of course you know click on a fishing email or a simulated fish right all of these behaviors that people are doing that are introducing risk into your environment we should be looking at and analyzing from a quantitative standpoint so imagine the way I actually don't know if this is a thing in the UK crap in the US we have like credit scores I don't do you have credit scores here okay Panic for a minute there um okay credit scores yes okay so imagine that this it's a really good analogy but imagine the way that every single person has their own credit score right and it's impacted by different things like assuming they're the same as the US it's

impacted by like hard inquiries on your credit and like the amount of debt you have and if you pay off your credit card on time and all of these things right different factors that go into giving you a quanitative credit score imagine if we had the exact same thing for every single person who worked at your company right a risk score So based on if they're browsing to insecure websites if they're sending un encrypted passwords in slack if they're sending data to a Gmail address to themselves so they can work on something at home right all of these things we should be gathering that data and creating a risk score for every single person that you can look at and

say not only based on what they're doing but then imagine if we also added in well what do they have access to right are they a system admin are they access you know do they have a bunch of different ad groups they are a part of right and we can actually start to get for each person how much risk are they bringing into your environment because there was another study done that showed that of those 82% of security incidents that are caused by humans on average they were caused by only 8% of people at a company meaning that at your company 80% of things you have to deal with are caused by 8% of people right so person

one doesn't need the same training as person two and they don't need as much time and attention depending on what they're actually doing and what they actually have access to and then thinking about a culture change all right and what I mean by this is that if we go back to the reason humans make the decisions they make and human psychology this human aspect of it people tend way more likely to listen to and respond to people that they hear from often in their lives right so when your boss tells you to do something you listen to that it's normal it's not something that you feel like you don't need to understand because your boss

tells you to do something every day well what if I'm an HR and you know my ciso sends out another email about say October security awareness you know cyber security awareness month and do all these great things right I'm not saying I'm not going to read it it's from a sea level maybe I will but it's not part of that like daily workflow for me right it almost goes into a different part of the brain whereas imagine instead that I have my boss you know my HR Manager consistently telling me to do things or I have you know my boss or the person sitting in the cubicle next to me reminding me about security things it

registers in our brain a different way when we hear it on a daily basis from people we're used to hearing things from and on top of that imagine if I'm a brand new HR intern and I accidentally think that I did something bad you know cyber security wise I think I clicked on a fish or something but I'm scared to go talk to my big bad cybercity Department because they're going to get mad at me and they're going to wipe my laptop and this and that well What If instead in my HR department we had one designated cyber security person right and it was our HR admin or whoever it was but they were the dedicated person for our

department who knows what to do in a cyber security situation and imagine if Finance had one in accounting had one right in payroll and all these things so that you have someone who's not scary who sits in the cubicle next to you or who you I am every single day who you can ask questions when they come up so you're much less turned off by going to you know the cyber security department or potentially getting in trouble and then from there it's also just sustainment right things got to come from the top you've got to have funding to do a program like this you've got to have you know executive backing things like that um but again really moving

beyond just that 1.0 approach of annual cybercity awareness training and fishing to more of a human risk management overall appetite and again what kind of data can we pull in to look at things like that if we're talking about quantification well we should be pulling from your web and endpoint security tool right are people attempting to install unauthorized software um mobile device updates detection of malware fishing and email security again not saying we shouldn't do fishing simulations right still something good but we should be pulling in that data as well what about data loss in your DLP right are you attempting to send a slack like I said with an unencrypted password well what if when you do that you get a little

slack popup that says hey looks like you just tried to send an unencrypted password in slack please use this approved method next time like thanks you're cyber security team right so now instead of getting an hourong training on January 1st which you'll have forgotten All About by January 5th right you get two second reminders day-to-day on actual behaviors that you need to change it's much more effective in actually changing human behavior it's came with security awareness training right we got to move away from one hour training in the beginning of January humans on average can retain seven bits of information in their short-term memory Maybe bit more in their long term I don't know but trying to train someone

for an entire Year's worth in one hour at the beginning of the year is absolutely uneffective you know we need to move to more of a nudge based realtime approach so the point pretty much of my whole talk humans um we're really not optimal people and it's really really interesting and fascinating if you look into it but we basically make really bad choices we don't operate like computers we don't follow algorithms we're emotional um we tend this is a really interesting study but we tend to act against our own best interest as human beings so it's the reason you say you want to lose 5 pounds and then you eat a cheeseburger for dinner or why I set my

alarm for 7:00 a.m. this morning so I could go on a run and I slept until 8 you know and that really happened right would it have been better for me to run this morning absolutely I didn't humans were not optimal people we act against our own best interest all the time and we need to start understanding that better and genuinely understanding the psychology behind why people do the things they do in cyber security because I just think way too much emphasis has been on the technology and not that none should be technology has made very very large advances in the last few years controls are getting more sophisticated Frameworks have come a long way but I

don't know I don't think that we focus quite enough on the human aspect and that's reflected in the data like I said if 80% year-over-year of incidents are caused by humans then clearly we're failing to understand human behavior um so I'll leave with like an interesting note I gave this presentation once before and someone asked me do you think that being quote unquote bad at cyber security like if your risk score if I'm an accountant and my risk score was bad enough should be a firable offense right should be it's a very divisive question I think people have very different opinions on it but what I would say is if we are all in cyber security and that's our job is to

protect the company and even protect and users and their their own data too right how come we just think well we should fire that person they failed enough fishing attempts in a row they're clearly not getting it they're clearly not learning we need to let them go I think maybe we should take that as a little bit more of a reflection on us the job that we're doing and Us in cyber security and say what we're doing to train this person is clearly not getting through to them we're not understanding the way they learn we're not understanding the way they work and their workflows now not to say if they're malicious and int and of course

when they're doing that then sure get rid of them but if they're just genuinely not learning because of the way that we're trying to teach then maybe it needs to be more of a a reflection on us and how we can take psychology a little bit more into uh into mind when we're coming up with different cyber security measures um but yeah so that's my talk I threw my LinkedIn on up there um uh but yeah I guess I'll take questions if there are any otherwise thank you so much for having me yeah I like that about the human psychology because when I first started getting um spam uh fishing uh campaigns I used to try and click it to

see if it was the one that I was trying to pick that they were trying to catch me out on so does anybody have any questions I will say just to add on to that point while they're walking over there the only fishing simulation that I failed in like the last two years of my company and my CTO mean about them to be fair but we had a part of our company that got acquired um by a different company so all all the employees were going with it so they were all leaving and they sent out this like say goodbye to the pillar employees email and like a link to see like a goodbye picture or

something and like and actually at the time I had just traveled to the UK so I was on like six hours jet lag and it was like right before I went to bed I said I'll click this and look at the cute little picture before I go to bed and it got me so like praying on an emotional response can be very very effective all right sorry oh your the towel debate thing 40% you said and reduction on can you the math behind me because can get it sorry okay maybe I did the math wrong but like if you have 1.6 to one is that not a 40% reduction in t usage is that wrong isn't it 40% right no is it not

I well it would be okay what was it the room out and the hotel and the hotel use 1.6 1.6 tow right

per I don't know maybe I did it wrong it's just I don't know it's a reduction in towel usage by6 towels per person per person6 TOS per person all right thank you sorry it's just it yeah I might have just done that wrong not going to lie might be

my sorry I made sles a while ago not gonna lie any questions I'll to you and then I think sorry um so you did mention briefly are they competitor within this space moving on in this yeah so I've spent the last year like really looking into a lot of the tech in this space um cuz my company were a vendor agnostic company so I always just try to keep up on all the tech and see what what's best um I think NOA before is more on the traditional side a little bit too much on the one point0 side I think they're trying to do like a little bit of this but they they are not at all

what I would call a leader in the space um most of them honestly are startups because it's like a newer thing this whole risk quantification and all of that stuff so as far as UK B companies I know the biggest ones are culture AI C safe and outthink are the three that I come across a lot um I like culture AI the best just from what I've vetted um and then in the US we've got like right-hand security living security but really they're all startups um for the most part people have got a risk measure they're starting to try to do it and then it's based on job titles as well so yeah they're they're starting to try to

do it I know they are they're just not as advanced in the space like they're typically not pulling in DLP data they're not pulling in Sim data they're not pulling in like I like they're not pulling in a lot of the other data where a lot of these other companies like culturei for example that's the main thing they're doing is integrating with your other products to get a holistic risk score so um from what I've seen in the space it's still a lot of startups but I think they're really interesting I know for example culture just got their series a I think C safe might be even further along than that so it's growing for sure but it's a newer a newer

Product Industry I don't know if I have time I don't think maybe do I have time for any other questions yeah okay um I just a quick question about um you mentioning um a potential solution to keep reminding users um or employees about um their security posture and um you men like potentially having certain like notifications coming in saying oh yeah you sent this don't you think that might cause um um sometimes in in some cases at least of some some fatigue in the alerts because that could happen where users would just completely ignore that there maybe like a middle ground that's some much you a for or what you thought that oh I definitely think it could

cause fatigue 100% I know a lot of the products that I've seen that do it you can set a threshold right so it could be like maximum alert this employee three times a month or whatever it is so you can always see that but it's really interesting I mean I've talked to cesos and companies who are like spam the crap out of them alert them every time they do anything gamify it you know send them an email once a month that says hey of everyone on your team you're in second to last place in terms of having the worst risk score like I there are cisos who absolutely want to do that they want to gamify it they want to pre on that

psychology and then there's these those who go the exact other other way right where they're super worried about the Big Brother aspect the gamification all that stuff so I almost think it's more said uh as your organizational culture is typically how I see it's like it's almost like a culture thing for your org um I see some that do also more of the the positive reinforcement model so where like the the better risk score you have or the more trainings you do are this and that like I saw one company that you could like you know gets points in can redeem it for like a pine Guinness or stuff like that right so it's just it depends on the culture

usually that your CES wants to set for your Security Org so all right thanks and so when I've been doing uh information security awareness training with people and what I've typically found is that people in an organization will have a different interaction and relationship with technology than they do at home and what I've tried to tend to do is fix their relationship at home because then that bleeds into their work life you think that's maybe a way that we should maybe looking at this so that people that rather than battering them with don't do this at work is teach them how to be more secure at home because then that will affect their relationship with

technology in business so I love this question I totally agree with it there's actually an initiative I'm working on right now that I wanted to try to fit into this but I couldn't figure out how but it it relates a lot to to that where I work with like Credit Unions sometimes and a lot of credit unions will have the issue of you know if an older person it's like a romance scheme or you know a fraud or something like that right that we've all heard a lot historically about where now they're taking this $20,000 check to their credit union to try to get it cashed and they're almost like embarrassed to say why they won't even

tell the credit unions so I don't know if you guys have credit unions here now I think like Banks or whatever um but so it's it was a big thing but what was interesting in talking to the most recent Credit Union is they were like honestly the losses that we take from that each year are manageable it's really not that big a deal but their ciso cared more about just the impact it had on their customers they were like we've seen people be devastated we've seen their lives ruined we've seen this and that right and further on top of that a lot of the money which I think a lot of people don't even realize that is

stolen in these scams ends up supporting drug trafficking human trafficking really criminal activities right so the initiative that we're working on is actually trying to give more more awareness of those things and saying how much can we save a company due to like mitigating this human risk right and can we use those savings actually to then donate to these human trafficking or drug like like organizations right or anti-human Trafficking anti-drug Organization sorry let me clarify um but the reason I bring any of this up is because I think it prays more on people's emotions right so I go to conferences all the time I see sponsors giving away these like $200 gift cards for entering a raffle for the booth and

whatever and or like a you know a $200 bottle of whiskey or something well what if we donate $200 to antihuman trafficking ORS instead or something right and I bring all of that up to say what I think is a really effective way to do it is not only teaching them like you said more on their at home Behavior but the effect it can have on their personal life versus just their corporate life right so say hey if you fall victim to one of these schemes like here is what I have seen it do to someone of your age in your position right and there's a million stories of them if you don't have one you just ask

any of your co-workers in cyber and someone will have a story of a family member or something getting extorted from this right so I think personally I'm I'm just starting to try to launch that initiative but if we can pray more on like the actual end effects that it has on people's lives and their personalized like you said I think it's way way more effective than just saying hey you don't want the re you don't want to be the reason your company gets breached don't click on this link you know okay just one more uh first of all great talk thanks um I was just wondering in your experience how open are cesos to have uh psychologist consultant I think

I mean the data you presented is this you solution to the problem very obvious but how how open are these guys to have psychologist consed yeah this a really great question you said psychology Consulting right is that yeah is that what you said yeah so it's a really great question to to be clear I'm not a psychology consultant I don't really know much about psychology I just read things but um honestly so in terms of actual psychology Consulting I guess I don't know because that that's not the field that I'm in I haven't tried that but I am in the field of um just cyber Consulting and general and so sometimes I'll bring these like types of solutions

up to cesos and again vendor agnostics so I don't I'm not necessarily promoting one solution or the other but I'll introduce them to this concept of hey there are solutions that do more of this gamification do more of this real in time learning and to that I found them incredibly receptive um especially because at the end of the day what I think genuinely is a ceso should be and usually is more business driven so also cost cutting driven and what I've seen is that if a ceso can replace something like a no before with the same line item budget for a a product that also provides content and fishing but then goes above and does this gamification

which is what I know a lot of these startups are trying to do they're very open to that cuz now they're not paying anymore you know they're getting the same functionality plus some so for that reason I've seen them be really open to it but again I do think it's because it still is a little bit of a business decision so in terms of actual psychology Consulting I would say probably their openness would depend on the ROI of it honestly that's just how I see a lot of cesas operate but yeah cool okay well thank you everyone so much