OutThink’s cybersecurity training uses NLP and data to mitigate employee-related risks

Missed a session of MetaBeat 2022? Visit the on-demand library for all our recommended sessions here.

Traditionally, cybersecurity has revolved around technology, but in reality it is a people problem.

Research shows that human behavior is responsible for most cybersecurity problems: 95% according to the World Economic Forum; 82% according to Verizon’s 2022 Data Breach Investigation Report; almost 91% according to the UK’s Office of the Information Commissioner.

This is not due to a lack of training, said Flavius ​​Plesu, CEO of the new software-as-a-service (SaaS) platform. being too smart.

“Employees have not been ignored; training has always been an important part of the security landscape,” he said.


Top with little code/no code

Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.

Register here

However, he pointed out that these have primarily been delivered through computer-based Security Awareness Training (SAT).

“SAT’s focus until now has been on educating users, rather than understanding users,” he said.

To address this, OutThink claims it has invented a new category of software: the cybersecurity platform for human risk management. To help with development, the company announced today that it has raised $10 million in an early stage funding round.

“The whole platform is about making the human side of security practical,” Plesu says.

Increasing risk

Cyber ​​attacks continue to increase in complexity, scope and cost. The average costs of a data breach worldwide is $4.35 million; in the US, it’s more than double, at $9.44 million.

In fact, 2021. of the World Economic Forum Global Risk Report views cyber-attacks as one of the top three threats of the decade, alongside weapons of mass destruction and climate change.

To the point of human behavior, this year’s focus Cyber ​​Security Awareness Month (October) is “See Yourself in Cyber.” Gartner identifies ‘beyond awareness’ programs as one of the top trends on cybersecurity in 2022.

“Progressive organizations are moving beyond outdated, compliance-based awareness campaigns and investing in holistic behavioral and culture change programs designed to elicit safer ways of working,” writes Peter Firstbrook, Gartner VP analyst.

Taking training to the next level

Companies that offer platforms for this include: KnowBe4, SoSafe, CybSafe, Aware of cyber risks and CyberReadyamong other things.

OutThink’s tool uses supervised machine learning (ML), natural language processing (NLP), and applied psychology to reveal what users really believe and assess their risk, Plesu explains.

Intelligence is combined with data from integrated security systems — such as Microsoft Defender or Microsoft Sentinel — to present live dashboards that show the overall human risk picture at the departmental, group or organizational level, as well as the root causes of that risk, he said.

Based on this information, the platform then advises or automates tailor-made improvement actions.

All three points of the human-process-technology triangle are “more closely aligned and merged,” Plesu said, and “people are no longer the problem: they become the solution.”

The platform is already being used by a number of major global organizations, including the Whirlpool, Danske Bank, Rothschild and FTSE 100 brands, he said.

Taking on the ‘human challenge’

OutThink grew out of Plesu’s personal experience as a CISO. Early in his career, he explained, he led complex cybersecurity transformation programs within large global organizations.

“It became clear to me that despite significant investments in technical security measures and awareness training, we were still exposed,” he said.

He began to rethink cybersecurity and address the “human risk challenge” with CISO colleagues and members of the academic community.

Plesu noted that when people use computer systems to process or process information, there is an inherent risk that someone will make a mistake or turn against the company and cause deliberate harm. Cybersecurity human risk management aims to answer three key questions for CISOs:

  • Identifying Human Risk: Who in my organization is more likely to cause a data breach?
  • Understanding Human Risk: Why are these people at risk?
  • Human risk management: How can we better support these colleagues?

“The idea for OutThink was born out of frustration with the first-generation solutions on the market, but it also grew out of a passionate belief: if we involve people beyond just security awareness training, we can turn them into the strongest defense mechanism of all.” make an organization,” Plesu said.

One FTSE 100 organization benchmarked OutThink using independent phishing simulation platforms (Proofpoint and Cyber ​​Risk Aware). After just one individualized OutThink security awareness session, employees were 47.74% less likely to click on a phishing link and 46% more likely to correctly identify and report a phishing email, Plesu said.

A new approach

In contrast, he said, first-generation tools on the market offer e-learning modules or videos and phishing simulations that are typically identical to all users.

While these have moderate efficacy, they have the same problem as any other training solution: the vast majority of information (75%) is forgotten within a week, he stressed.

Newer platforms use ML to understand behavior and target training, namely through surveys. But NLP and data science are not usually applied to understand how people think and think about security; they depend on honest responses.

“A high number of cognitive biases means this is a risky approach,” Plesu says. “People tend to overestimate their own abilities and knowledge, especially for those with the weakest competences.”

Also, people tend to see themselves as exceptions and will give the answers that require the least effort.

There are also custom-designed e-learning resources for organizations or specific departments within them, he said.

“We do not consider this a viable alternative because there are major differences in the safety attitudes – including personality, risk perception and intentions – and behavior of each employee within an organization; even within the same department,” says Plesu.

Ultimately, “the continued growth of cybercrime shows that conventional approaches don’t work,” he said. “There is an urgent need for effective new approaches to human risk management in cybersecurity.”

The mission of VentureBeat is a digital city square for tech decision makers to learn about transformative business technology and transactions. Discover our briefings.