Introducing Human Risk: The Next Generation of Security Awareness

Unsolved, But Ever-Present 

Since its first publication in 2008, the Verizon Data Breach Investigations Report (DBIR) has consistently highlighted human error as the top contributor to breaches (74 percent in 2023). This finding has become so widely accepted that most security practitioners simply assume it as a given, chalk it up as an unsolvable problem, and move on to protecting networks, devices, and applications. This has been largely due to the lack of data-driven visibility into the problem and actionable insights as to whether interventions such as training or phishing simulations were reducing human-centric risk. The result? Programs with a one-size-fits-all approach that did little to demonstrate true risk reduction. It was time for a change. 

Mimecast Acquires Elevate Security

Given the pervasiveness of human error in breaches, an organization’s protection strategy must include an understanding of their human-centric risk and the tools to demonstrably mitigate this risk. That’s why in January 2024, Mimecast acquired Elevate Security, the leading provider of human risk management. This strategic acquisition demonstrates Mimecast’s continued commitment to enhancing protection for customers and providing proactive insights and deeper visibility into human behaviors and risk, helping customers better protect their digital workspace. The Elevate platform helps organizations proactively identify high-risk users and automate responses and safeguards. When combined with Mimecast’s Awareness Training offering and world-class email and collaboration security suites, these capabilities can help reduce overall risk and exposure for companies like never before.

What is Human Risk Management? 

While most security incidents involve the human element, it’s a very small percentage of users actually causing those incidents. The guiding principle behind human risk management is that security training and controls should not be one size fits all. Rather, they should be applied based on the level of risk that individual users pose, whether based on actions, frequency of being attacked, or role. The ability to apply tailored security training or controls will allow organizations to invest the appropriate levels of resources and attention on the highest-risk users, while also reducing friction for those who present less risk. 

Here are a few use cases: 

• Human risk management can help tailor security interventions to individual users, allowing policies and controls to be dynamically assigned to individuals or groups based on their actual risks. This can make policy strategy more intuitive, effective, and automated for customers. 
• The combination of Elevate's risk identification capabilities and Mimecast's Awareness Training roadmap promises to give customers a more complete view of user risk, enabling customers to dynamically tailor targeted training strategies that can be more effective in impacting risky behavior than a generic training program schedule.   
• Bringing Elevate’s data platform into Mimecast’s suite of products will enable the integration of more data from a wider variety of sources, delivering better intelligence that can ultimately consider human risks based on people's actions, attacks targeted at them, and their access levels to corporate systems. This will allow customers to make much more informed decisions about their security postures as we offer better risk visibility and mitigation together. 

Bringing Human Risk Management and Security Awareness Training Together 

As organizations evolve their security awareness training strategy to consider all aspects of human risk, it is important to be aware that awareness training and human risk management are not in opposition to each other, but instead, are better together.

Security awareness focuses on what employees know about security – an important but incomplete piece of the equation. Human risk management fills in the gaps but provides an understanding about what employees do in relation to security – what good and bad security decisions do they regularly make? Are they repeat offenders? How frequently are they being attacked? With this understanding, security practitioners are able to gain a picture of the distribution of risky employees across their organization. Elevate analytics show that eight percent of users are causing 80 percent of incidents. Not all users are equal in their security awareness and the human risk they pose.

This visibility allows for a much more precise application of security interventions like training, feedback, and nudges to the workforce allowing for the right training to be delivered to the right person at the right time. This maximizes the ability for an organization to proactively protect itself while reducing unnecessary training hours or security friction.

While email remains the largest threat vector, an effective human risk management strategy requires input from a broader range of signals that can provide measurement into prominent areas of human error such as clicking on that phishing link, downloading malware, mishandling data, or compromising an account. Elevate’s technology ingests data from more than 50 different sources to gather user context, then processes more than two billion data points to determine predictive risk that flags risky individuals with precision.

Mimecast’s suite of products in combination with Elevate’s capabilities offers practitioners the ability to take their security awareness programs to the next level through: 

• Risk assessment that is behavior-based, rather than self-assessment based or simulation based. 
• Advanced risk scoring that makes sense of all the disparate user data to understand what is truly risky and where it resides within the organization. 
• Nudging and intervention that allows for responding to behavior with applicable and relevant training in the moment a risky behavior is demonstrated. 
• Context-aware and adaptive training that equips security, IT, and awareness teams to actually address risk specific to the employee. 
• Recommendations to tune email security controls to better protect the most at-risk employees. 
• True behavior change solutions beyond just phishing simulations. 

The Bottom Line 

Research shows that a minority of users cause the vast majority of security incidents. Adapting security training and controls to each employee based on individual levels of risk can help make huge strides towards a better security posture. With the incorporation of Elevate Security technology into the Mimecast suite, Mimecast customers will be able to not just check a compliance box, but to proactively gain insights and deeper visibility into human behaviors and risk, helping them empower their workforce and work protected.