Latest news with #StuSjouwerman
Forbes
23-07-2025
- Business
- Forbes
The Rise Of Adaptive Security Training: Personalized Risk Management
Stu Sjouwerman is Founder and Executive Chairman of KnowBe4 Inc., a security awareness training and simulated phishing platform. Cybersecurity relies as much on human behavior as it does on technology. Even the most robust firewalls can be rendered ineffective with a single thoughtless click. As organizations face increasingly sophisticated phishing attacks and insider threats, they are realizing that traditional, one-size-fits-all security training is no longer sufficient to meet their needs. Adaptive security training represents a strategic shift toward a data-centric, personalized approach to risk management, where real-time behavioral data tailors learning experiences to individual users, roles and risk profiles, thereby influencing effective training interventions that manage behaviors and enhance cybersecurity. Instead of bombarding everyone with the same material, adaptive security training determines each user's risk level, learning style and previous behavior to develop a customized training course. It provides personalized training, rather than using a one-size-fits-all approach. AI And Behavioral Analytics AI and behavioral analytics fuel the next-generation personalized risk management. The technology is well-suited to sift through enormous amounts of data, including clickstreams, login activity and email interactions. AI can help organizations detect anomalies in user activity (e.g., late-night logins or access to confidential documents) and forecast future risk based on learning from past events and behavioral patterns. It can also launch automated interventions, such as initiating a micro-training session or marking a user for examination. Behavioral science makes interventions human-oriented. Applying concepts like nudging, gamification and habit formation enables behavioral science to provide guidance on how training is administered as well as users' reactions to it. Measuring The Effectiveness Of Adaptive Training Adaptive security training extends beyond simply verifying that a participant has completed a module. It is also about understanding how well the training changed behavior and reduced organizational risk. The training participation rate is an essential metric for organizations to assess the effectiveness and relevance of their training initiatives. They measure this by the frequency at which employees interact with the training content, completion rates and time spent on modules. Human risk scores can help organizations judge the effectiveness of their training programs in reducing risk. A drop in the risk score can confirm the effectiveness of their program. Follow-up quizzes and simulations can assess employees' knowledge retention and identify any change in their long-term behavior. Real-time behavioral analytics are the most effective tool for revealing if employees are applying their learnings in the real world. For example, are they reporting phishing attempts more often or avoiding risky clicks? Some companies use post-training surveys to measure the relevance and level of participation of the training material among workers. This feedback cycle is critical for improving subsequent training. Other training results, such as fewer security breaches, less downtime and better compliance, directly connect training success to organizational objectives. Adaptive Training Influencing Employee Behavior An adaptive, personalized approach to risk management not only instructs employees on what to do; it also motivates them to act and prepares them to do it effectively. Here's how: • It tracks employee reactions to specific threats, such as fraudulent emails masquerading as well-known companies, and immediately modifies training to counteract risky actions. This timely feedback boosts appropriate behaviors and lowers the likelihood of recurrence. • When training resources are tailored to an employee's role, risk exposure and preferred learning style, the resources are viewed as more relevant. This personalized approach enhances engagement and minimizes "training fatigue," making it more likely that employees will remember and apply their training. • The use of behavioral science techniques like gamification encourages secure behaviors over time and enables knowledge to become second nature. Over time, adaptive training creates a security culture of awareness. Staff begin to realize that cybersecurity is everyone's responsibility, not some ad hoc job, and it ceases to be a second thought in their daily routine. Potential Roadblocks And Considerations Adaptive training transforms workers from potential liabilities to valuable assets. However, implementing adaptive training is not without its challenges. Adaptive platforms often require synchronization with HR software, learning management systems (LMS), email clients and security software. Seamless integration between these systems can be technically challenging. Gathering behavioral data to customize a training program may also raise concerns about privacy in terms of both surveillance and data misuse. Although adaptive training provides rich data, converting that into unambiguous business value, such as confirming a drop in security incidents or improved compliance, is challenging without applying the appropriate analytics framework. Employees accustomed to traditional training may be resistant to new approaches, demanding strong change management and visible leadership support to adopt the new approach. The emergence of adaptive security training marks a cultural shift in cybersecurity methods, transitioning from reactive to proactive, from general to tactical and from compliance-based approaches to behavior-based. Personalized risk management enables organizations to develop targeted interventions that aggressively address vulnerabilities, adapt to evolving threats and reduce human error, empowering employees to become active defenders of the organization. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Business Times
05-07-2025
- Business Times
I'm human. Are you? The quest for our online identity
It's every manager's worst nightmare: Hiring a remote employee who turns out to be a North Korean hacker intent on loading malware on to your network. But that's what happened to the US cyber security company KnowBe4 last year, as the company's founder, Stu Sjouwerman, described in a candid blog post. KnowBe4 had posted a job ad for an AI software engineer, interviewed candidates by video, conducted background checks, verified references and made an offer. But soon after the company sent a Mac workstation to the remote employee's notional address, he went rogue. The company quickly discovered he was a fake North Korean IT worker, who had used a valid, but stolen, US-based identity to land the job. He then accessed the workstation remotely from Asia via an 'IT mule laptop farm'. Thankfully, no data was compromised but the company said it was a 'learning moment'. 'If it can happen to us, it can happen to almost anyone. Don't let it happen to you,' Sjouwerman wrote. This scary incident highlights the difficulties of authenticating someone's identity online – even by specialist security experts. But that challenge is about to become immeasurably harder as we outsource more responsibilities to AI chatbots and agents, getting them to perform many administrative functions online, and we generate lifelike video avatars. Up to now, the internet has mostly involved machines communicating with machines and humans interacting with humans. But increasingly those lines are blurring. We're close to the point where chatbots and avatars are all but indistinguishable from humans online. How can you be sure that you're not interacting with a synthetic human? As is the way with Silicon Valley, some tech executives have come up with a proposed solution to the problem they have created, profiting from both sides of the transaction. Prominent among them is Sam Altman, who triggered the generative AI investment frenzy after his company OpenAI released ChatGPT in 2022. BT in your inbox Start and end each day with the latest news stories and analyses delivered straight to your inbox. Sign Up Sign Up Altman has also co-founded Tools for Humanity, which has developed an iris-verification device, a white globe about the size of a football, called the Orb. 'We needed some way for identifying, authenticating humans in the age of AGI,' he told an event in San Francisco this year. 'We wanted a way to make sure that humans stayed special and central.' Once a user's eye is scanned, the company sends them a World ID, a global digital passport, and US$42 in Worldcoin cryptocurrency as a reward for joining the network. As of April, some 13.5 million people in 23 countries had used the Orb to generate a World ID. The service was launched in the UK last month. The Orb is undoubtedly trying to address a real user need. But, quite apart from the scary Black Mirror vibes, it is questionable how effective the iris-scanning service will be. The need for a special machine to identify and authenticate any user (there are currently more than 1,500 Orbs in operation) makes the system clunky and expensive. The insistence on one centralised digital identity deprives a user of the freedom to have multiple, disconnected identities, raising privacy concerns. The World ID passport also risks becoming a walled garden that may not interoperate with other ID networks, such as the EU Digital Identity Wallet, which will become operational across the bloc by 2026. Nevertheless, some security experts suggest that we are rapidly entering a world where our default assumption must be that all online counterparties are synthetic unless they can prove otherwise. That creates a need to demonstrate genuine presence online, or 'liveness', as Andrew Bud, founder of the biometric authentication company iProov, calls it. iProov's premium service has been used more than 100million times by customers, including governments and financial services companies, through a smartphone-based facial recognition system. This shoots multicoloured lights at a user's face and analyses the reflections, verifying their identity in about 2.5 seconds. 'Digital identity is a set of facts. But trust does not reside in facts. It resides in people,' Bud tells me. That means linking those facts to a human being who controls those facts. 'And for that you're going to have to use biometrics.' The identification and authentication of users is one of the hardest challenges we face on the internet because technology is evolving so fast, but it is critical that we meet it. The likely next threat? Masses of synthetic hackers. FINANCIAL TIMES
Straits Times
04-07-2025
- Business
- Straits Times
I'm human. Are you? The battle for our online identity
The increasing ubiquity of AI makes it harder to authenticate who someone is in the digital realm. The identification and authentication of users is one of the hardest challenges we face on the internet because technology is evolving so fast, but it is critical that we meet it. It's every manager's worst nightmare: hiring a remote employee who turns out to be a North Korean hacker intent on loading malware on to your network. But that's what happened to the US cyber security company KnowBe4 in 2024, as the company's founder Stu Sjouwerman described in a candid blog post. KnowBe4 had posted a job ad for an AI software engineer, interviewed candidates by video, conducted background checks, verified references and made an offer. But soon after the company sent a Mac workstation to the remote employee's notional address, he went rogue. The company quickly discovered he was a fake North Korean IT worker, who had used a valid, but stolen, US-based identity to land the job. He then accessed the workstation remotely from Asia via an 'IT mule laptop farm'.
Techday NZ
13-05-2025
- Business
- Techday NZ
Security training cuts phishing risk by 86% globally in a year
A newly published report indicates that security awareness training reduces global phishing click rates by 86%. The "Phishing by Industry Benchmarking Report 2025" compiled by KnowBe4 analysed 67.7 million phishing simulations involving 14.5 million users across 62,400 organisations worldwide. The report found an average global baseline Phish-prone Percentage (PPP) of 33.1%. This metric refers to the proportion of employees interacting with phishing simulations before undergoing structured security awareness training (SAT). According to the report, SAT significantly reduces susceptibility to phishing. The findings show that the global PPP drops by 40% after three months of education and by 86% following a full year of continued training. The study highlights that ongoing and effective SAT not only decreases risk but also establishes a stronger security culture within organisations. Measurable improvements become evident as quickly as three months after training begins. Stu Sjouwerman, Chief Executive Officer of KnowBe4, stated, "The data speaks for itself — security awareness training truly makes a difference. From 2024 to 2025, the general trend has remained fairly consistent — around one-third of employees click on a simulated phishing link before taking part in training." "However, the data shows a slight improvement in 2025. Within a year, we've seen a 3.5% decrease in the global baseline PPP, highlighting a positive shift in overall security awareness worldwide. However, there is still significant progress to be made in fully addressing phishing risks. By consistently prioritising relevant and engaging training, combined with simulated phishing, organisations can strengthen their human risk management strategies and better protect against phishing to improve overall security culture." he added. The report examined risk differences by sector and organisation size. Healthcare and pharmaceuticals, Insurance, and Retail and wholesale emerged as the most at-risk industries, with baseline PPPS of 41.9%, 39.2%, and 36.5%, respectively. This indicates that employees in these sectors were most likely to engage with potential phishing threats prior to training. Larger organisations faced a greater initial risk. Those with over 10,000 employees had an average baseline PPP of 40.5%. Organisations with between 1 and 250 staff had a lower average baseline of 24.6%. The data indicates that the scale of an organisation can correspond with a heightened vulnerability to phishing before remedial action is taken. Among organisations with 1,000 to 9,999 employees, the Healthcare & Pharmaceuticals, Hospitality, and Legal sectors all achieved an improvement of 91% in PPP scores after 12 months of ongoing SAT, demonstrating the potential for marked risk reduction within a year of continuous education. Regional variation was also apparent in the findings. The highest baseline PPPs were found in South America at 39.1%, North America at 37.1%, and Australia and New Zealand at 36.8%. These figures indicate regional disparities in initial vulnerability to phishing before introducing training regimes. The report provides quantifiable evidence that sustained investment in SAT, including simulated phishing campaigns, can result in enduring changes to employee behaviour. The decline from a global baseline PPP of 33.1% to just 4.1% after 12 months underscores the tangible benefits of a measured and continued approach to cybersecurity education.
Yahoo
13-05-2025
- Business
- Yahoo
KnowBe4 Report Reveals Security Training Reduces Global Phishing Click Rates by 86%
KnowBe4's 2025 Phishing by Industry Benchmarking Report shows a drop in the global Phish-prone™ Percentage (PPP) to 4.1% after 12 months of security training TAMPA BAY, Fla., May 13, 2025--(BUSINESS WIRE)--KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, today launched its "Phishing by Industry Benchmarking Report 2025" which measures an organization's Phish-prone™ Percentage (PPP) — the percentage of employees likely to fall for social engineering or phishing attacks, indicating the organization's overall susceptibility to phishing threats. This year's report found a global average baseline PPP of 33.1%, meaning a third of employees interact with phishing simulations before taking part in best-practice security awareness training (SAT). The data underscores the significant impact of SAT in mitigating risk. The rapid decline in the global PPP following the implementation of training — falling by 40% in just three months and by a total of 86% after 12 months — demonstrates that ongoing, effective training leads to lasting behavior change and a substantial reduction in vulnerability to cybersecurity threats. This highlights the critical role of continuous education in building a stronger security culture within organizations, even in as little as three months. KnowBe4 analyzed 67.7 million phishing simulations globally, across 14.5 million users from 62.4 thousand organizations. The baseline PPP (33.1%) reflects an organization's susceptibility to phishing before any KnowBe4 training. Employees then undergo KnowBe4's SAT, and the PPP is recalculated after 90 days and again after one year-plus of ongoing training to quantify the program's effectiveness. Other Key Findings from the Phishing By Industry Benchmarking Report: Globally, the top three most at-risk industries with the highest baseline PPP were Healthcare & Pharmaceuticals (41.9%), Insurance (39.2%), and Retail & Wholesale (36.5%). Larger organizations faced a higher initial phishing risk, with those having 10,000+ employees showing a global baseline PPP of 40.5%, compared to 24.6% for organizations with 1-250 employees. In organizations of 1,000-9,999 employees, three sectors all achieved PPP improvement rates of 91% after 12 months of on-going training: Healthcare & Pharmaceuticals, Hospitality and Legal. Across the different regions, the highest baseline PPPs were found in South America (39.1%), North America (37.1%), and Australia and New Zealand (36.8%). "The data speaks for itself — security awareness training truly makes a difference," said Stu Sjouwerman, CEO of KnowBe4. "From 2024 to 2025, the general trend has remained fairly consistent — around one-third of employees click on a simulated phishing link before taking part in training. However, the data shows a slight improvement in 2025. Within a year, we've seen a 3.5% decrease in the global baseline PPP, highlighting a positive shift in overall security awareness worldwide. However, there is still significant progress to be made in fully addressing phishing risks. By consistently prioritizing relevant and engaging training, combined with simulated phishing, organizations can strengthen their human risk management strategies and better protect against phishing to improve overall security culture." To download a copy of the Phishing by Industry Benchmarking Report 2025, visit here. About KnowBe4 KnowBe4 empowers workforces to make smarter security decisions every day. Trusted by over 70,000 organizations worldwide, KnowBe4 helps to strengthen security culture and manage human risk. KnowBe4 offers a comprehensive AI-driven 'best-of-suite' platform for Human Risk Management, creating an adaptive defense layer that fortifies user behavior against the latest cybersecurity threats. The HRM+ platform includes modules for awareness & compliance training, cloud email security, real-time coaching, crowdsourced anti-phishing, AI Defense Agents, and more. As the only global security platform of its kind, KnowBe4 utilizes personalized and relevant cybersecurity protection content, tools and techniques to mobilize workforces to transform from the largest attack surface to an organization's biggest asset. View source version on Contacts Media Contact:Kathy WattmanSVP of Public Relationskathyw@ 727-474-9950
