The process of encouraging secure cyber habits in end users is evolving from traditional awareness training toward changing end user behavior. It reflects a growing acceptance that traditional methods haven’t worked.
Awareness training had unsophisticated beginnings. “Mouse pads and coffee mugs that read: ‘We can’t spell S E C _ R I T Y without ‘U’,” recalls Timothy Morris, chief security advisor at Tanium. This approach improved with security teams manually sending employees simulated phishing emails, and further improved with vendor products automating, scaling, and measuring the process.
The latest approach now attempts to use neuroscience to shape an automatic good user response to anything phishy. While traditional security awareness teaches users how to recognize social engineering, new behavior changing trains the brain – almost pre-programs it – on the correct recognition and response to phishing.
Hoxhunt belongs to this school of user security. Its latest report (PDF) focuses on how behavior changing has worked within the critical industries. It is compiled from an analysis of more than 15 million phishing simulations and real email attacks reported in 2022 by 1.6 million people (all taking part in a security behavior change program). The key takeaway is that employees within critical industries are particularly responsive to Hoxhunt’s behavior changing methodology.
The science behind the Hoxhunt platform can be related to the principles outlined by Stanford adjunct professor BJ Fogg’s ‘Tiny Habits’. It is based on short, frequent, positive ‘nudges’ controlled by an AI platform that tailors the program to deliver highly personalized learning paths to individual users.
“Airbus is a good example of our scale,” Jeff Platon, CMO at Hoxhunt, explains. “It has 438,000 employees. They have 438,000 individual learning paths that have been built by the Hoxhunt platform. And I think we’ve conducted roughly 65 million different learning moments.”
The process is based on repeated ‘micro learning moments’ (they take between 60 and 90 seconds) that are delivered as positive reinforcement in a gamified experience. Neuroscience demonstrates that such a process changes the synapses (the junction of different nerve cells) within the brain. The result is behavior change.
While traditional awareness training seeks to teach users how to recognize a phish, behavior change teaches recognition and automatic correct response. Where awareness training struggles to overcome the memory and focus limitations of the human brain – described in this context by Bec McKeown, founder and principal psychologist at Mind Science, as ‘a limited capacity information processor’ – behavior changing bakes in the correct recognition and response, eliminating reliance on externally imposed memory and focus. Recognizing and correctly responding to phishing becomes something like the mythical muscle memory of the brain.
“Behavior-based engagement with phishing emails,” suggests Krishna Vishnubhotla, VP of product strategy at Zimperium, “is better than traditional security courses as it better prepares you to recognize an attack. It becomes second nature to report it, especially when it is AI-generated adaptive learning.”
The Hoxhunt analysis focuses upon the critical industries that use its platform. It finds that real threat detection runs at 65.6% in CI compared to a 60% global average. The success rate in CI is improved by 31% compared to the global average of 7%. The failure rate is reduced by 65% compared to a global average reduction of 13.2%.
Hoxhunt summarizes these figures with what it calls the resiliency ratio. “We see critical infrastructure outperforming the global averages. We think this is best represented as them being about 50% higher than the global average,” said Platon This is the resiliency ratio. “It’s the ability to successfully detect a real attack divided by the failure rate – and critical infrastructure performs at 10.9 versus 7.2 for the global average. So, 51% better is significant.”
The only blot on CI performance is spoofed internal organizational communications, where CI’s performance is a failure rate 11.4% higher than the global average.
While it is probable that the overall behavior changing success rate within the critical industries is somewhat distorted by the pressures of greater external regulation and the awareness of increased geopolitical tensions, this success can only be welcome. Behavior changing seems to be the next logical step toward hardening the user.
Espoo, Finland-based Hoxhunt was founded in 2016 by Mika Aalto (CEO), and Pyry Avist (CTO).
Related: Security Awareness Training Isn’t Working – How Can We Improve It?
Related: Cybersecurity Training Firm Hoxhunt Raises $40 Million
Related: Vista Equity Partners to Acquire Security Awareness Training Firm KnowBe4 for $4.6B
Related: Security Awareness Training Top Priority for CISOs: Report