SecureTrust Cybersecurity
The First Three Levels Of Human Cybersecurity​

The First Three Levels of Human Cybersecurity

Peer into NIST CSF (Cybersecurity Framework) and focus on Protect – PR. Cybersecurity Awareness Training’s in there, an integral part.

Next, visit or revisit the CIS 18 controls. Inspect Control 14 and its 9 safeguards.

Recommendations: Train the people. Ideally, ensure the application of the training.

Annual cybersecurity training is mandated for many for reasons ranging from compliance to corporate policy and recordkeeping.

Sometimes the training is entertaining; but, realistically, often viewers merely tolerate and moderately apply the lessons contained therein.

The training session might end with a dread of phishing email exercises sure to arrive in the coming months. Dread and behavior – not good companions.

Bigger organizations may intentionally build and manage cohesive human cybersecurity programs.

 These will integrate cybersecurity awareness and cybersecurity behavior accented activities all year.

The program is interdependent with HR, representatives from the executive staff, information security and IT, and dedicated cybersecurity awareness staff members.

The goal?

Information security and privacy – top of mind. Practiced.

If Level 1 – training for everyone – is compliance and knowledge based, consider also Levels 2 and 3, program enhancement opportunities that extend human cybersecurity beyond compliance and awareness and further into engagement, integration, and maturity.

Level 2

Level 2 human cybersecurity extends atop the baseline training everyone receives.

Some vendors offer role-based cybersecurity awareness training within their computer-based training packages.

This practice affirms general operational know-how and where (and to whom) cybersecurity applies and also provides more technical staff helpful training that does not belittle their expertise.

True Level 2 training requires some additional specialization, beyond typical role generalities.

Consider additional targeted live training – training specific to the industry and the risks found within it.

Consultants can provide this, and expert staff can as well.

What are some examples for industry-specific training?

  • Additional compliance needs due to industry practices and/or changing laws.
  • The impact of cybersecurity current events regarding this industry.
  • Occasional conversations that reverse the typical order of training – staff members provide their concerns in talking about cybersecurity and corporate culture in an open forum.

Facilitated, likely, but great conversation here can expand the effectiveness of staff application of cyber hygiene and other behavior practices. (Nice introduction to how Level 3 can work here).

Anti-fraud training, both general and training that is specific to the industry or role.

Critique the canned training everyone receives – as a group.

Poke fun at it if you have to, all while discussing its necessity. Because it’s built for everyone, it’s hard to be fully relevant for anyone.

Level 3

Extending Level 2 conversations into strategic human risk programs can prove to be powerful. Welcome to Level 3.

Mature human cybersecurity practices incorporate regular conversations, organically if possible.

What’s happening now that affects us, our organization, and our future?

What else belongs in Level 3?

Consider a program including all of Levels 1 and 2 and tailored also to the individual organization.

This effort likely includes the work of staff dedicated to human cybersecurity and risk.

The core components of Level 3 human cybersecurity:

Risk appetite and tolerance – how the organization views risk and growth irrespective of compliance – and the impact on philosophy and behaviors on cybersecurity spending and practices.

Now, how does that affect staff and other business relationships?

Place of the organization and its products and services within the industry, clearly defined, with changing and emerging risks communicated as points of interest.

Cybersecurity’s intersection with operational policies, processes, and procedures – both the everyday and the occasional work efforts and work products.

What behaviors and attitudes boost or hinder practical human cybersecurity?

Integration with technical efforts – and explaining them, their “whys” and “whats”, with cross-functional teamwork as the organization’s cybersecurity practices gain more maturity.

The Why – the Gains in Incorporating Level 2 and Level 3

Combining the three levels into a comprehensive human cybersecurity program should bring forth significant results – beyond reduced suspicious link clicking and increasing reports of phishing.

Who’s talking about cybersecurity in the hallway?

Do your staff members demonstrate an elevated (and accurate) view of the work of the information security team during conversations?

The human cybersecurity approach is people based, so everyday metrics will be somewhat qualitative.

Perry Carpenter and Kai Roer, mention a great culture probe in their book The Security Culture Playbook.

Ask staff what they see their colleagues doing, not what they do themselves.

Engagement regarding information security and privacy – central tenets of cybersecurity – should increase.

Consider conversations about crime and ingenuity and where the two meet, especially relative to industry and business.


Current cybersecurity statistics indicate the majority of organizational spending is on software tooling.

The risk, however, is largely interwoven with human behavior.

Bolster full cybersecurity by building a true, layered human risk program. Level 4 – not fully defined – awaits.

Full integration with human and machine/tool-based cybersecurity into a true mature program that adapts with the changing online threat landscape.

Integrated. Focused on continuous improvement. Governed/adjusted regularly. Until the day when cybercrime is defeated, we remain vigilant human defenders, battling alongside our tools.

Related Content

Heather Noggle
Heather Noggle

Heather offers more than 30 years of expertise built from experience as early as Commodore 64 tinkering. Human cybersecurity is her passion – training, tips and tricks, and reframing cyber hygiene activities as fighting back.

Share This Article

Subscribe to SecureTrust newsletter

Get the week’s best
cybersecurity content.
Sign Up >

Join 10,000 Subscribers

AI & Cybersecurity Insights
Delivered To Your Inbox

SecureTrust Cybersecurity Powered By Helios