Security Behavior Coach

The first idea was to research whether the 'customer journey methodology' of marketers can be used to make employees more security-conscious. During the explore phase of the project this idea has expanded to an investigation of the feasibility of a new security role: The Security Behavior Coach (SBC). This person looks at human behavior in business processes for causes of security vulnerabilities, so that security incidents attributable to human behavior can be reduced.

Results of the Proof of Concept phase
In the Proof of Concept phase the team investigated the viability of this new role by performing a dry run on the work of the Security Behavior Coach. We looked at the employee recruitment process within financial organizations from a behavioral point of view and focused on (potential) user-generated incidents. As a results we gained insight into this new role and crafted a draft version of a competence profile.    

Results of the extended PoC phase
A limited freedom of movement due to Covid-19 prevented us from observing behavior as it takes place; one of the prerequisites for performing the job of an SBC. It was therefore decided to extend the PoC phase and research how an SBC can be implemented in organizations, and whether it should be a role (which can be added to someone's current job) or a function (which implies introducing a new job). We compared several scenarios against criteria for success, e.g. growth potential, impact, organizational feasibility, and desirability and concluded that we should start by adding this new role to an existing function. From there the role can eventually progress into a function of its own.

Activities in the Pilot phase
In close collaboration with one of the participating organizations, our team has selected a suitable candidate for the new role. We also found an interesting use case for the pilot: the activation flow of the wholesale banking process, including the onboarding of new wholesale customers.  We are currently in the process of starting the actual pilot. The pilot will run for 6 weeks and is expected to end in March of this year. The focus is on finding and mitigating security risks in this process caused by human behavior of employees. Our team will coach the candidate and provide him with tools for doing the job. A hybrid way of working (both at home and on premise) is taken into account. The results will allow us to assess the extent to which this role contributes to measurable improvements. We hope to find that our candidate is able to detect issues in the selected business process and to initiate technical improvements or behavioral interventions with objective to minimize human security risks. 

Exploit phase - final result
This project has defined a new role in the cybersecurity landscape. A job profile and description of the core tasks are available as a download (see below). We're still investigating the possibilities for further dissemination towards the market.