Slack for Security - User Risk Surveys in Slack

Travis Good
July 19, 2022

This is another post in our series on how to use Slack for Security. In this post, we discuss why you should be conducting employee risk and security surveys and why Slack is a great tool to do it. We conclude with an example survey template that can be used to kickstart surveys at your company.

Why user risk data is important

Risk is the basis of all security programs. Risk is assessed in a multitude of ways from doing vulnerability scans to volume of data stored and processed to reviews of policies and procedures.

Employee, or human, risk is often cited as a major, or the major, risk facing companies today. This is because the majority of security incidents and data breaches come from actions employees take, most notably clicking links to fake websites (phishing) or installing malicious software (malware).

Collecting subjective data from employees in the form of user risk surveys is one more valuable source of data. While subjective employee survey data is not actual behavioral data (it doesn’t correlate 1:1 with the actions and decisions employees actually make), it serves a few valuable purposes for companies that choose to conduct these surveys and use the data as a part of a broader security and risk program.

  1. Target resources towards high risk. Security surveys can provide data on what users are most at risk for certain types of attacks and what systems are most at risk. This is not the only source of data for risk but can be additive to what you are already doing.
  1. Educate and engage employees about security. Surveys are another way to educate employees about security. The process of reading and answering questions about risk and vulnerabilities is a way to promote thinking about these areas. And it doesn’t feel like training.

Why don’t we leverage user risk data

If there’s value in user risk surveys, why don’t more companies do them? There are a few reasons:

  1. Engagement is low. Getting people to complete another Google survey is a decent lift.
  2. People do not value the data. Subjective data is often seen as low value data.
  3. There’s nothing to do with the data. This is the primary reason. There isn’t an obvious place for this data or way to use this data.

Despite the above, there are good reasons to do user risk surveys.

What about polling tools in Slack

There are many Slack apps that can be used to survey users. Search Slack’s App Directory for “polls” or “surveys” and you’ll discover there are lots of options that you can use in Slack to conduct simple surveys; here are the results for “surveys” - https://haekka-works.slack.com/apps/search?q=survey.

We’ve used different Slack survey tools. Some are fantastic. But, what we’ve seen as a blocker with them for security and risk surveys is that they are not dedicated to security. Oftentimes, these apps are owned by HR and security does not have direct access to create or send surveys.

User risk surveys in with Haekka in Slack

We added features to Engagements to make it super simple to create, assign, and complete user security and risk surveys in Slack.

Creating a Security Survey in Slack

Like most admin functions, creating surveys on Haekka is done on the web dashboard.

  • In the Heakka web dashboard, navigate to the Engagements section using the left hand menu (or get there directly using this link).
  • Choose Create Engagement on the top right.
  • Complete the information about the engagement. The screenshot below shows a recurring quarterly password survey.

Assigning a Security Survey in Slack

Now that you’ve created the survey, you need to choose who should complete it. You can choose to add individual users from Slack, all users from a channel, or users in your Slack workspace. Optionally, you can sync this survey to your Slack workspace or to a channel so all new users added will be assigned this survey.

You can see the assignment options below:

Completing a Security Survey in Slack

Assigned users will be notified of the survey on the date set as well as on subsequent dates if the survey is recurring. The survey can be completed by users entirely in Slack.

User risk data from surveys in Slack

The data collected in the survey is available in the Haekka dashboard. Data in aggregate and over time is provided to empower security leaders to make informed decisions about their infosec programs and resources. Additionally, admins can drill down into the data to assess individual risk.

—-

We created a video to show how easy it is to create, assign, and basic password hygiene survey using Haekka in Slack.

—-

Haekka is a security HQ in Slack. Train, stream content, ask questions, collect data, and continuously engage employees in the context of work. Schedule a demo and start a free trial today.