I'm finding myself more and more often speaking to senior leaders about human risk. Leaders not only want to better understand how to manage human risk, but why we are facing this growing problem. Attached is a graph I love to use when starting this discussion (feel free to steal and use if it can help you). Many security professionals like to blame employees as the problem, often quoting the term "you can't patch stupid". A quote and attitude that I passionately disagree with. People, just like the Windows operating system - store, process and transfer information. As a result, people - just like the Windows operating system, are also a target. However, as you can see in this graph we have invested a huge amount of effort in the past 15-20 years securing one type of operating system (Windows OS) while investing almost nothing in securing the other operating system (Human OS).
The problem is not that people are lazy, stupid or inherently insecure, the problem is we the security community have failed to secure them. We have failed to build mature awareness programs that focus on key behaviors that people can easily exhibit. We have failed to engage people in their own terms that they can easily understand. This is all beginning to change, which is why I'm so excited and optimistic. But the change is not going to truly happen until we communicate that problem to our leaders. Leadership needs to understand that just as we invested in security technology and saw a dramatic ROI, we need to start also investing in securing people. And the best way to make that investment, as demonstrated by the 2017 Security Awareness Report, is to invest in at least one Full Time Employee (FTE) to run your security awareness program. As for those in the security community who feel that people are still an unsolvable problem, I challenge you to take a long look in the mirror first and ask yourself what you have done to help secure people in their terms and not yours.