Mind Games: Using Data to Solve for the Human Element

The traditional approach to mitigating human risk in the security industry is ineffective. Instead, techniques such as personal relevance, social proof, leveraging intrinsic motivation, and tight-feedback loops are key factors to reduce human risk.

• Human risk is one of the largest unsolved problems in security, with human errors being the top reason for successful breaches.
• Traditional one-size-fits-all annual security training is ineffective in changing behaviors.
• Techniques such as personal relevance, social proof, leveraging intrinsic motivation, and tight-feedback loops are key factors to reduce human risk.
• Motivation needs to be applied in addition to training to get employees to want to take the training and adjust their knowledge levels.
• Elevate Security is a leading human risk management platform constantly keeping on top of the latest research in the space.

The speaker noticed that often employees are made to do security, but she was obsessed with the question of what it would look like if employees wanted to do security instead of having to. She explored concepts outside of security like behavioral science and positive psychology to create more robust defenses as it relates to the human element.

The security industry's traditional approach to mitigating human risk is predicated on the assumption that individuals will make the right security decisions if they have enough training and fear of the consequences. Years of security research indicates otherwise. This briefing will share key insights from nearly a dozen security training research studies and analysis of several dozen security behavioral change campaigns to more than 65,000 employees across industries. We will show why traditional training approaches are ineffective in changing behaviors. Instead, our findings highlight techniques such as personal relevance, social proof, leveraging intrinsic motivation, and tight-feedback loops are key factors to reduce human risk. This talk will explain why these behavioral change techniques are found to be most effective. We will then share concrete examples of how security teams can leverage these techniques to effectively reduce human risks such as phishing, malware downloads, and sensitive data handling in their own organizations.