May 14, 2021

Cybersecurity Culture: Why Knowing is not Half the Battle

Note: Verizon Media is now known as Yahoo.

Paranoids mascot reading books.

There’s a reason traditional approaches to improving security culture aren’t effective in improving a company’s security posture. They don’t work.

Verizon Media’s security team — the Paranoids — created a Proactive Engagement group that set out to discover the reasons why. This small group of a dozen employees marries offensive testing, security awareness, and behavioral engineering in an effort to improve our cybersecurity culture overall.

The idea is simple: they start with what they know. The team identifies specific kill-chain-breaking actions rooted in real attacks.

Then the real work starts. The team uses this information to combat these attacks by influencing employee behavior. They broadcast actionable advice to improve defenses across the entire company, like using a password manager or reporting a phishing attack. And, most importantly, they collect data about new behaviors to test which techniques — communications, simulation, or training, or a combination of all three —are the most effective to improve employee cybersecurity defenses.

This approach is really effective. Over the past couple of years, the rate of credential capture resulting from phishing simulations decreased exponentially. The number of active corporate password managers accounts in the same time period grew at an even greater rate.

Earlier this year, the Paranoids authored a case study with a group inside MIT’s Sloan School of Business (CAMS). You can read the case study here.

P.S. We're hiring!