People-Centric Security (or Bottoms-Up)

Travis Good
November 17, 2022

Data is, or at least should be, the lifeblood of an effective information security program. There are countless security-relevant data points from hundreds or sometimes thousands of systems. Typically, the biggest challenges facing a data-driven information security group are 1) combining data and 2) analyzing data to maximize signal capture in a sea of noise. Data should be used to monitor the health of information security, report on it, improve it, and proactively mitigate risks.

One source of data that is typically missing from an infosec program is user, or employee driven data. Your employees are on the front lines. They see things you may not be able to see in existing security data.

Examples of People Centric Security Data

Given the dynamic nature of cybersecurity threats and technologies, there is an ever-evolving list of people-centric security data. Below are some of the common examples we see @ Haekka.

User Risk Surveys

Measuring and managing risk is foundational. Today, risk is measured from the top down. This is not wrong. But it misses valuable data directly from users about the risks they perceive from different actions, technologies, and workflows.

User Hygiene Surveys

Security awareness training teachers users about strong passwords, updating software, and other technical security measures. The question is how are those actually implemented when users have choice. Simple surveys about security hygiene don’t replace tools that enforce certain security measures (like complex passwords or MFA) but they add value because they get the subjective response of users about these measures.

User Mindset Surveys

Asking how frequently users think about security when they work is a simple way to gauge the priority of security in the flow of work. And, if tracked over time, is a great way metric to target for improvement.

User Threat Impact Surveys

There are new threats all the time. These can take the form of social media or phishing or malicious apps or a long tail of other things. Asking users if they have been exposed to these types of threats helps you understand how those threats impact your workforce and your company security.

It goes beyond the data

The soft ROI of people-centric security is that by virtue of asking users questions about security, you bring security to top of mind. Surveys are a great way to subtly reinforce lessons like the example above about complex passwords or password reuse.

Collecting Data

Asking users to provide risk and security data is rightfully perceived as a burden that security does not want to put on employees. But, it doesn’t have to be a burden. There are new tools that can help to automate much of this and time-box the collection of data so it takes less than 10-15 seconds to complete.

One solution to this problem is to regularly - weekly, bi-weekly, monthly, quarterly - deliver simple, one question security surveys in Slack. These surveys show up like any Slack chat message and the only action a user needs to take is to click a button.

Haekka Engagements

Engagements were built to power people-centric security. Add-hoc or recurring surveys are sent in Slack. Using a simple editor or a library of existing templates, these can be created and scheduled in minutes.

Data is correlated and reported on with security context. User, group, and organization metrics are always available and always up-to-date.

And, in terms of the burden on employees - we see completion rates that are 2-3x higher than other survey tools.