Key Learnings from the SANS Human Risk Summit 2024

Inside the SANS Human Risk Summit

SANS is the world's most trusted and largest source for information security awareness training and security certification. Notably, SANS was the first organization to establish a certification specifically for human risk management practitioners — the SANS Security Awareness Professional (SSAP) Credential — which equips professionals with the expertise needed to advance their security awareness programs.

Each year, the SANS Managing Human Risk Summit brings together security awareness experts who share invaluable insights through case studies and cutting-edge technologies for managing human risk.

At this event, we learn about the latest proven strategies for engaging and securing our workforce, while also having the opportunity to network with industry practitioners and peers from around the globe.

Hoxhunt had the privilege of attending SANS Human Risk Summit 2024 in person, and we've compiled a summary of the most impactful talks, highlighting key takeaways that are particularly relevant and aligned with Hoxhunt’s expertise. You can also watch all of the talks on the SANS Security Awareness YouTube channel.

Beyond the Breach: The Role Culture Plays

Speaker: Tim Brown, CISO at SolarWinds

Context: SolarWinds, based in Tulsa, Oklahoma, provides IT management tools including the Orion platform, which monitors network and infrastructure. In late 2019, hackers inserted malicious code into SolarWinds Orion updates. This attack, discovered by FireEye in December 2020, impacted over 300,000 major customers, including Fortune 500 companies and U.S. government agencies like the Pentagon and NASA, marking one of the largest cybersecurity breaches of the 21st century.

• Control and Communication: In the immediate aftermath of a breach, managing chaos through clear communication and defined roles is crucial. SolarWinds split its response teams early, emphasizing collaboration and a "do your job and help others" approach.
• Leadership and Culture: The CEO’s role in setting a customer-first culture was pivotal. A strong, unified message from leadership guided the organization during the crisis.
• Commitment to Transparency: SolarWinds emphasized the importance of being transparent with customers and stakeholders, not just during the breach, but in the long-term aftermath, including correcting misinformation.
• Ongoing Recovery Efforts: Recovery from a major breach is an ongoing process, involving not just technical fixes but also restoring trust through continuous communication and demonstrating improvements.
• Cultural Impact on Security: The security culture within an organization can either hinder or help the response to a breach. SolarWinds highlighted the necessity of a strong, proactive security culture to manage crises effectively.

Self-security Awareness

Speaker: Erica Mick, Security Culture and Human Risk Management at Royal Caribbean Group

• Engage with Users: Meet employees at their level of understanding and set realistic cybersecurity expectations. Tailor communication to be accessible and practical.
• Build Empathy: Connect with employees by recognizing their non-expert status in cybersecurity. Understand their challenges and bridge gaps through empathy.
• Collaborate Across Departments: Work with different teams to understand their needs and ensure that security measures are practical and relevant.
• Make Security Accessible: Ensure that security initiatives are easy to engage with, provide clear instructions, and offer incentives to motivate participation.
• Integrate Security by Design: Embed security into tools and processes from the start to make them intuitive and user-friendly.

HOXHUNT TIP
‍
Recognize and motivate: Implement recognition programs to highlight employees who have performed exceptionally well on phishing simulations. With Hoxhunt, you can create categories such as "Top Phish Hunter" or "Cybersecurity Champion” based on metrics like stars collected or suspicious emails reported.

Fear, Empathy, and Team Spirit: The Psychology of Cybersecurity Communication

Speaker: David Shultz, Founder at Sans Serif

• Capture Attention and Motivate Action: Effective cybersecurity communication begins with capturing attention and translating that attention into motivation for the right behaviors. This involves using strategies that resonate with different psychological triggers. ‍
• Seven strategies for motivation:
  1. Fear: Is a powerful motivator, but can be worthless.
  2. Shame: When fear is personalized, it can turn into shame.
  3. Empathy drives personal responsibility in cybersecurity.
  4. Fun: Making security information fun can increase engagement.
  5. Team spirit fosters collaboration and shared security goals.
  6. Personal connections make security practices more relatable.
  7. Gamification and competition, particularly where individuals compete against themselves. ‍
• Cultural Considerations: The choice of motivational strategies should be aligned with the organization’s culture. Segmenting the audience based on factors like location, office environment, regional culture, knowledge level, and field of work ensures that communication strategies are relevant and effective. ‍
• Understanding Technology Interaction: Recognizing how people interact with technology in their daily lives can inform more effective cybersecurity communication, making it easier to implement strategies that resonate with employees.
  

HOXHUNT INSIGHT
‍
At Hoxhunt, positive reinforcement, empathy, fun, gamification, and competition (e.g., leaderboards) are integral to our Human Risk Management (HRM) strategy. These approaches have proven to be more impactful and efficient than negative motivations such as fear.

How rewarding and recognizing your employees can drastically increase engagement

Speakers: Sophie Tate, Security Awareness & Culture Lead at National Grid & Niki Wileman, Head of Security Culture, Training, and Resilience at National Grid

• Identify Key Behaviors: Focus on recognizing and rewarding the specific positive security behaviors that are most valuable to your organization.
• Support Advocates: Find and support employees who exemplify these key behaviors. Provide them with recognition, rewards, and opportunities for increased responsibility.
• Sustained Engagement: Engage personally with employees to understand their roles and implement cost-effective recognition initiatives, like "Phishing Belts," to maintain high levels of motivation and engagement.
  

HOXHUNT TIP
‍
Low-Cost Recognition: Use creative, cost-effective methods for recognizing employees, such as informal awards or public acknowledgments. Align the reward with your organization's culture, but ensure it's something that excites and motivates your employees. Hoxhunt uses stars, badges, and even a certificate template to help you reward users.

How to Build a Successful Awareness Program

Speakers: Marianne Lindroth & Tiina Kärkäinen, Cybersecurity Consultants at Nixu Corporation

• Lead Communication: Appoint a dedicated leader for the awareness platform to ensure effective communication.
• Know Your Audience: Use preferred channels and relevant topics to engage your audience effectively.
• Management Support: Ensure management actively supports and demonstrates the values of the program.
• Personalized Messaging: Tailor and personalize communications to boost engagement and motivation.
• Leverage Networks: Connect with others and seek support to enhance the program’s impact.
  

HOXHUNT TIPS
‍
Strong Communication: A monthly or quarterly cybersecurity newsletter can be an effective tool for keeping employees informed and engaged. Hoxhunt offers a customizable Newsletter template that you can use to share updates and reminders with your employees.

Multi Channel Approach: Think about the best channels to get the word out about Hoxhunt training. Once you know your channels of preference, think about what format of the material works best in each. Hoxhunt has created extensive comms materials that you are free to use.

Using Behavioral Data to Inform Security Awareness Campaigns and Measure Impact

Speaker: Jade Meyer, Security Awareness Program Management at Salesforce

• Ongoing and Targeted Campaigns: Use data to target high-risk employees and tailor security messaging accordingly. Implement both ongoing and ad hoc campaigns to address varying needs.
• Track and Measure: Monitor campaign effectiveness over time to understand its impact. Measure behavior change, information engagement, and retention.
• Framework for Data Analysis: Behavioral Data: Analyze what is happening and when.
• Employee Attribution: Identify who is involved and where incidents occur.
• Human Risk Measurement: Assess why risks occur and how to mitigate them, using a risk score based on severity and frequency. [Risk score = average severity x frequency].
  

HOXHUNT TIPS
‍
Custom Scenarios: Hoxhunt enables you to create realistic phishing scenarios that mirror common threats encountered by your employees to increase engagement and effectiveness.
‍
Engagement Metrics: Utilize Hoxhunt’s Human Risk Dashboard to track engagement levels and identify areas for improvement, ensuring that campaigns are reaching and resonating with your audience.

Avoiding a Culture Clash: How to Harmonize Security Practices with Organizational Values

Speakers: Amy Herbert, Information Security Behavioral Change Lead at Accenture & Jennifer Bliss, Information Security Innovation Portfolio Lead at Accenture

• Use Innovative Training: Engage employees with interactive methods like VR, gamification, and personalized content to make security training more effective.
• Align with Culture: Integrate security practices with your existing organizational culture rather than changing it.
• Understand Your Culture: Tailor security strategies to fit your organization's decision-making, risk tolerance, and communication styles. The idea can be great, but it might not flourish if it’s not the right time or culture.
• Pursue Continuous Improvement, no matter the culture: Regularly update strategies, seek guidance from advisory boards, and challenge existing practices and status quo.
  

HOXHUNT TIPS
‍
Customize Training: Align training methods with your organization’s culture to boost engagement and effectiveness. You can now create your own micro-trainings within Hoxhunt, using AI for help or inspiration in creating the content.
‍
Regular Evaluation: Continuously update strategies based on feedback and emerging threats. At Hoxhunt, we update our simulation database on a weekly basis, adding new simulations to keep up with the latest cybersecurity challenges and threats.

Evolving Beyond Basic Analytics to Quantify Human Risk

Speaker: Nandita Bery, Director of Information Security Programs at Equinix

• Leverage User Engagement Data: Track user engagement through posts, topics, and views to gather insights on behavior and risk levels.
• Develop a Human Risk Heat Map: Use data to identify trends, pinpoint challenges, and target training effectively.
• Program Tracking and Metrics: Monitor elements like cyber ambassadors, new hires, training modules, and overall security awareness to measure and improve program effectiveness.
• Engagement Forecasting: Analyze historical data and patterns to forecast future engagement and refine strategies accordingly.
• Report to Stakeholders: Present quarterly updates to the board to demonstrate the impact and progress of security initiatives.
  

HOXHUNT TIPS
‍
Forecast and Refine: Utilize historical data using the Human Risk Dashboard and check your company “progression over time” to forecast engagement and continuously improve your security strategies.
‍
Reporting cybersecurity's impact to the board is pivotal for resource allocation and strategy alignment. Hoxhunt's Human Risk Dashboard offers tangible results and risk mitigation data to help formulate strong reports and presentations. For additional insights and ideas, consider exploring the "Cyber Security Toolkit for Boards" from the UK's National Cyber Security Centre.

General Key Takeaways from the SANS Human Risk Summit

All in all, the event was an incredible experience to exchange ideas, share knowledge about human risk management, and get inspired by innovative concepts and strategies. We gained valuable lessons and insights connecting with the vibrant community of security awareness practitioners.

Some of our key takeaways include:

1. Human-Centric Approach: Across all sessions, a common theme was the emphasis on human behavior as both the greatest vulnerability and the strongest defense in cybersecurity. Fostering a culture that prioritizes security awareness is essential. ‍
2. Leadership's Role is Crucial: Effective human risk management begins with leadership. When leaders actively engage in security practices, it influences the entire organization, making security a shared responsibility. ‍
3. Continuous Improvement: Security is not a one-time effort but an ongoing process. Continuous training, simulation exercises, and adapting to new threats are necessary to stay ahead of risks. ‍
4. Measurable Outcomes: Success in human risk management is measured by the reduction of incidents and the improvement in security behaviors. Metrics and assessments are vital tools to ensure strategies are effective.

We at Hoxhunt hope all security awareness professionals keep these in mind to build up the profession and continue the good fight to keep organizations secure.

‍