Security Journey ExpertStarted in July 2020
An investigation of the feasibility of a new security role: The Security Journey Expert.
The first idea was to research whether the 'customer journey methodology' of marketers can be used to make employees more security-conscious. During the explore phase of the project this idea has expanded to an investigation of the feasibility of a new security role: The Security Journey Expert (SJE). This person looks at human behavior in business processes for causes of security vulnerabilities, so that security incidents attributable to human behavior can be reduced.
Results of the Proof of Concept phase: In the Proof of Concept phase the team investigated the viability of this new role by performing a dry run on the work of the Security Journey Expert. We looked at the employee recruitment process within financial organizations from a behavioral point of view and focused on (potential) user-generated incidents. As a results we gained insight into this new role and crafted a draft version of a competence profile.
Results of the extended PoC phase: A limited freedom of movement due to Covid-19 prevented us from observing behavior as it takes place; one of the prerequisites for performing the job of an SJE. It was therefore decided to extend the PoC phase and research how an SJE can be implemented in organizations, and whether it should be a role (which can be added to someone's current job) or a function (which implies introducing a new job). We compared several scenarios against criteria for success, e.g. growth potential, impact, organizational feasibility, and desirability and concluded that we should start by adding this new role to an existing function. From there the role can eventually progress into a function of its own.
Activities in the Pilot phase: In close collaboration with one of the participating organizations, our team has selected a suitable candidate for the new role. We also found an interesting use case for the pilot: the activation flow of the wholesale banking process, including the onboarding of new wholesale customers. We are currently in the process of starting the actual pilot. The pilot will run for 6 weeks and is expected to end in March of this year. The focus is on finding and mitigating security risks in this process caused by human behavior of employees. Our team will coach the candidate and provide him with tools for doing the job. A hybrid way of working (both at home and on premise) is taken into account. The results will allow us to assess the extent to which this role contributes to measurable improvements. We hope to find that our candidate is able to detect issues in the selected business process and to initiate technical improvements or behavioral interventions with objective to minimize human security risks.
This project is part of the trend
Growing need for impactful awareness campaigns and behavioral change programs
There is a growing need for educational, behavioral change programs targeting unsecure behaviors of end-users, educating such users on how to behave in cyber environments. Cyber security gaming (potentially with VR) is one of the tools developed nowadays which can be a possibility for increasing attention. However, the question remains whether such programs are effective. To answer that question, metrics and measurement methods are needed to measure the effectiveness of awareness and interventions.