Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:35 PM
Connect Directly

Organizations Making Little Headway in Addressing Human Risk

Most enterprise security awareness efforts remain half-hearted, a new SANS survey shows.

Though human errors — such as falling for phishing scams that result in data compromise or credential theft — remain one of the top security risks for organizations today, few appear to be making much progress in addressing the problem.

The sixth and latest edition of the SANS Institute's annual security awareness report, released Tuesday, shows that enterprise initiatives for minimizing human risk continue to be little more than a part-time effort at many organizations.

Related Content:

9 New Tactics to Spread Security Awareness

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: 3 Classes of Account Fraud That Can Cost Your Company Big Time

The survey of over 1,500 professionals involved in security awareness training found 75% spend less than half their time on that task. When responsibility for the function was assigned, it went commonly to staff with overly technical backgrounds and not enough skills for engaging the workforce in easy-to-understand terms.

"Overall, the data is trending the same" as in previous years, says Lance Spitzner, SANS security awareness director and co-author of the report. "Awareness continues to be a part-time effort, which is why so many organizations are struggling to effectively secure employee behavior and ultimately manage human risk."  

A lack of time and personnel continue to pose big challenges for organizations seeking to build a mature security awareness program, the survey found. Organizations that had made progress in changing employee behaviors with their awareness programs had at least 2.5 full-time equivalent employees dedicated to the mission. Organizations with the most mature awareness programs had at least 3.5 full-time employees.

However, SANS found the percentage of organizations that actually reported having staff of any size dedicated full time to the security awareness function was low.

"Roughly 10% of organizations out there — represented by our respondents — have someone dedicated full time" to security awareness, Spitzner says. "That is similar to what we have seen over the past surveys, [so] no real change there."  

In most other cases, when an organization has someone working in security awareness, that person is in IT or security and already has numerous other responsibilities, he notes. The SANS survey found salaries, on average, were higher for individuals in other roles handling security awareness on a part-time basis ($106,00) than for individuals dedicated to the role on a full-time basis ($96,000).

As in past surveys, SANS polled respondents on their backgrounds and roles prior to working in security awareness: More than 800 of the 1,500 surveyed professionals had backgrounds in information security or information technology before they began work in security awareness. Less than 20% had a nontechnical background, such as marketing, communications, legal, and human resources. 

The problem with having people with overly technical backgrounds performing training is they can have a harder time communicating and teaching security fundamentals to nontechnical people. Though a certain level of technical expertise is essential for working in security awareness, experts in the field can often perceive security as being easy to understand simply because it is part of their daily life, SANS observed in its report.

"Human risk is a people problem, so it takes a human solution" to address it, says Spitzner.

However, that does not mean completely nontechnical soft skills alone are enough for a security awareness role.  

"The awareness professional should be an extension of the security team," Spitzner notes. "This means they should have a basic understanding of cybersecurity, the models and frameworks involved, and perhaps a basic understanding of the technology and attackers involved."

They would also need to have a passion for learning and helping and have strong skills in communicating and partnering with others, he says.

The Right Focus
SANS said organizations should ensure that any person they put in charge of the security awareness function has a title that emphasizes the human risk aspect of the role — for example, "human risk officer." Often, organizational leaders have a tendency to discuss the role in the context of awareness, training, engagement, or influence.

But those terms focus on what's being done rather than why it needs to be done, Spitzner says. "Managing human risk" is a better fit, he says, because "it aligns with leadership's strategic security priorities and explains why awareness needs to be an extension of the security team."

SANS found that security awareness programs typically garner the strongest support from the information security and IT teams, as well as human resources, audit, and senior leadership. Conversely, the biggest opposition to these efforts typically existed within operational teams and the finance group — likely because these are two areas affected most by security awareness programs.

To address concerns from the finance group, SANS recommends security leaders focus on the value of security awareness programs. One way to do that would be to consider the cost of past breaches or compliance failures and compare it to the cost of the security awareness program. Similarly, to address the concerns of operational groups, the security awareness group should focus on ways to reduce lost work hours due to training — by, for example, reducing the number of topics to focus upon.

"Awareness is nothing more than another security control, one designed to manage human risk," Spitzner says. "Security teams need to be treating it as such."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.