Human Risk Management: The Case for Living Security

by Jamie Lewis, Venture Partner

A complex interaction of threats, attack vectors, and enterprise security architecture is behind every breach. But an examination of common security failures reveals a fundamental disconnect between the technological and human aspects of security architecture in many enterprises.

Make no mistake: security products and services are an essential part of the solution. But it’s equally important to understand that behind every bit of malware is an adversary — people who are attacking an organization. Organizations are, of course, comprised of people, and people bring risks and vulnerabilities that may be beyond the grasp of technology. The 2020 Verizon Data Breach Investigations Report (DBIR ) found that phishing and the use of stolen credentials were the top two threat actions in 2019, accounting for more than 50 percent of all breaches. It also found that human error (which includes misconfiguration) is the fastest-growing threat action.

There are many opinions on how to mitigate human risks effectively. But there is a long-standing consensus that raising security awareness for users will help. Still, many security leaders view awareness training for employees as a check-box item, a grudging necessity for satisfying the compliance police. From the user’s point of view, the training often consists of mind-numbing PowerPoint presentations that condescend to and blame employees. And it’s usually one-size-fits-all, ignoring the wide spectrum of experience, education, and understanding across a large and diverse employee population.

The results are predictable.

When organizations view security awareness training as just a check-box issue, they don’t just devalue the human element of their security architecture, they deprecate it, making it more difficult to manage risk in a rapidly evolving threat environment. The drudgery of endless training presentations reinforces negative views of cybersecurity efforts. Knowledge retention and follow-through rise (or sink) concomitantly. Rote materials with little or no prioritization based on what people really need — or any meaningful connection to their jobs and lives — fall on deaf ears. While the security team can check the compliance tick-box, it has done little to improve the organization’s security posture.

These dynamics are driving the trend toward more people-centric security architectures, creating a stronger first line of defense against determined adversaries. In short, enterprises should view human risk management as a core component of the security architecture, on equal footing with the security technology they deploy. They need innovative training tools that enhance other security products and services. Instead of one-size-fits-all materials, security leaders need awareness programs that are based on a deep understanding of the organization’s employee population, its strengths and weaknesses, and the evolving threats the organization faces. But most security awareness training programs are stuck in the 1990s, and the results speak for themselves.

Living Security’s Approach: People-Centric Security Architecture

Living Security co-founders Ashley and Drew Rose recognized both the problems with traditional security awareness programs and the need to enable a more people-centric security architecture. They set out to modernize security awareness programs, and are well on their way to creating a comprehensive human risk management platform. The company is achieving those goals by:

  • Applying modern concepts to the problem: Living Security uses techniques gleaned from the learning/development and behavioral science fields — including gamification — to create engaging and immersive learning experiences. Such experiential learning dramatically increases knowledge retention and is much more effective at motivating changes in behavior.
  • Using a cloud platform and automation to increase scale: While in-person training is valuable — and a part of Living Security’s product portfolio — effective awareness programs must scale to cover large enterprises spread over significant geographies. Living Security’s platform allows security leaders to customize training campaigns, providing active learning simulations, puzzles, and quizzes that can reach all employees, whether they’re working from home, a remote office, or company headquarters.
  • Using data analytics to drive program development: As employees move through the training, Living Security’s platform gathers metrics that give security leaders real insight into the human risk in their employee population. Program leaders gain a better understanding of how educated users are, what concepts they understand, and where they need help. Based on that knowledge, they can segment the user base and fine-tune training, creating custom campaigns to address specific needs within specific employee subsets and tracking progress.

Beyond the Escape Room

Living Security’s first product took the adventure and puzzle aspects of the popular escape room game genre and applied them to security. Because it provides an entertaining and effective way of teaching good security practices, the escape room remains a popular part of Living Security’s product portfolio. In 2018, the company created a “train the trainer” program and software tools that allowed a customer’s employees to conduct the escape room training exercises across the organization. More recently, Living Security put the escape room online in response to the COVID-19 pandemic, giving its customers the ability to engage employees while they sheltered in place.

As popular as the escape room is, however, it was only the start of Living Security’s evolution. The company took the learning and experience from the escape room and built its training platform, which is the centerpiece of its product strategy.

Effective training requires context, and in the security world, that context consists of multiple layers. Threat intelligence indicates what’s happening in the world at large. Incident response data indicates what’s happening in a specific organization, and employee metrics indicate which people need help, and the concepts they need help with. By integrating these elements in its platform, Living Security is bringing a new approach to security awareness and enabling a more people-centric approach to security architecture. In short, Living Security is developing a human risk management system, and that’s why we invested in the business.

Photo by Ola Dapo from Pexels

Originally published at on June 23, 2020.

Rain Capital is a cybersecurity venture fund based in the San Francisco bay area. A women-led and -managed fund, Rain invests in disruptive security companies.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store