Rawpixel.com - stock.adobe.com
Inserting AI into cyber awareness
As industry looks to grasp the use of AI and automated features, how are security suppliers facing the challenge of adding these capabilities to their products and services? We talked to one provider to find out
The concept of security awareness training is traditionally one of static procedures, including online training and tests, phishing simulations, and physical elements such as posters and displays.
This is all practical for compliance, but does this concept move with the times? In a world where AI is king, how does awareness training fit with this technology trend? As an example, delegates at KnowBe4’s recent user conference in London heard how the company’s more AI-driven direction is taking shape.
Increase in agents
CEO Bryan Palma predicts that AI would lead to an increase in the number of people and agents saying that “AI makes us more productive”, and with the number of agents being deployed in cyber security increasing. This could result in fewer people being employed; however, the attitude at KnowBe4 is to train the workforce regardless of whether they are man or machine.
“We don’t care as, ultimately, we’re going to prepare your organisation and your workforce to be trained correctly and be an advantage for you in the market,” he says. “Now it is probably 100% humans we train and zero agents, tomorrow it may be 60 humans and 65 agents – we’re not going to care.”
That movement towards agents, and supporting them as much as employees, is particularly forward-looking as the adoption of AI-based options increases. Palma claims that this adoption of support for agents is “about security culture, and that is really the outcome that we’re trying to build”.
He says: “The reality is that agents will be part of your security culture, and bots will be part of your world. If we turn the clock forward a few years, you will have multiple bots that work for you, and you’re going to tell them to do things, and they will work independently, and instead of managing only people, you’re going to need to manage bots as well.”
This move is all about culture, and agents have to be part of that culture “just as humans would be”, he explains.
Workforce trust management
Palma states that the company’s direction is towards the concept of “workforce trust management”, an extension of the original security awareness training and the more commonly used term “human risk management”.
He explains that workforce trust management considers autonomous security, which governs and trains both humans and AI agents, as the workforce will be diverse: “You need to protect them all, as each can be a vulnerability.”
The obvious question is how AI and automated functions are changing both workforce trust management and KnowBe4’s core awareness and training mission? Sitting with Palma, Computer Weekly had the opportunity to ask him about this move towards automation and if there was enough of a grasp of the roll-out of automated tasks in the way that KnowBe4’s technology works.
Palma says the company was thinking about it and developing around it, and then when he joined the firm, he realised both the impact of this from other things that he has done and the need to accelerate development.
“I’ve put more focus on it; I’m putting more investment behind it. I want to accelerate what we’re doing, but we have six agents in the market – we were already doing this, and it becomes critical because it just allows our system to run better,” he says.
Is there more demand from customers for that kind of automation in a workforce trust management offering? He explains that one of its agents creates a phishing landing page to save time for the IT and cyber security teams to build new versions of the phishing tests continually.
Donna Huggett, information security education and awareness manager at Belron – the parent organisation of Autoglass and Safelite – tells Computer Weekly that she uses KnowBe4 for phishing simulations. The AI-enabled technology “actually helps us massively cut down quite a huge chunk of work”, as time was previously spent on developing templates and choosing the right one to use, the options in the AIDA technology do the work for you.
She also said this determines the level of phishing message to be sent to an employee, for those who need to be challenged more and who will receive slightly harder emails. “And that’s all automated now, so that’s a massive help,” she says.
Paul Maxwell, cyber security engineer at retailer Poundland, says he primarily uses KnowBe4 for phishing simulation, and used 115 templates, but found that some were no longer working. This required new templates to be built, and it “was adding 35 hours a month” to his workload as users became savvier, and he needed to create new emails.
“I spent a good couple of hours at night, just thinking ‘That’s a good one, that’s going to catch people out’. With that kind of stuff, you can’t just go half measure, you’ve really got to try and catch them out,” he says. “Because if you don’t catch them out, you don’t help them learn.”
He explains that the most effective options were those that appeared to come from HR, such as clicking to claim annual leave, and finance and IT issues, including updating to Windows 11. However, the staff engagement has seen an increase in reported phishing attacks. While Maxwell admits that each alert takes time to investigate, he acknowledges that the platform has been really helpful.
“This is exactly what I need: firstly to help me move security forward in the business, but also to be able to take a step back and look at other areas I need to focus on,” he adds.
Automated agents
In terms of automated agents, Computer Weekly asked Palma if the intention was to add machine learning to enable the examples above, and if it could get to the level where it could replace the practitioner’s need to do awareness training by determining the right campaign for employees?
Palma explains that people are overlooking this link and are moving directly to AI, while the human link is vital; there is machine learning involved. “Everybody wants to think GenAI, everybody wants to think next generation: we’ve had lots of machine learning and regular vanilla AI for a long time, and that’s still very meaningful and that still does a lot of the work, but conceptually it will absolutely look and say, ‘Hey, these are the mistakes you’re making’, or ‘These are the mistakes the system is making’ and how you solve that.”
Palma says that the development of agents has increased over the past year, and he sees a future where “our email, our training, our compliance is all going to be in one single platform”, which will allow KnowBe4 to add in components and capabilities as it moves forward.
Different-sized businesses
Palma also discussed whether small- and medium-sized enterprises (SMEs) are more adaptable to a changing technology concept, compared to a large organisation that has been retrospectively building in security since the 1990s.
“I think the bigger organisations have more people, they have more process, they tend to move slower,” he says. “The smaller organisations are going to be very efficient - among many of our SMEs, they don’t have a CISO, and they don’t have an information security department.
“Now, if they have three or four agents that can help them around workforce trust, they’re going to be really happy about that. So, I think adoption at that part of the market is going to be faster and quicker.”
This move to offer automated technologies is one where the company can move with the times, but the question is how adaptive are the practitioners to this new form of technology to do this straightforward task? Creating phishing templates is time-consuming, and creating new emails takes time and effort, and we have not really begun considering the energy required to filter through the phishing simulation results.
It is interesting to see this adoption of the newer ways of working, and perhaps the next step will be for practitioners to go all in on an agentic approach. Being able to offload a cumbersome task and see the results without hours of extra work would surely be worth the effort.
Read more about agentic AI
- Organisations are starting to look at where artificial intelligence fits into business workflows.
- Zoom CTO Xuedong Huang explains how AI Companion 3.0’s agentic AI capabilities can help turn conversations into completed actions using long-term memory and deep reasoning.
- The rise of agentic AI promises much for ERP, possibly even its supersession. But ERP isn’t dead – it’s evolving as it seeks to govern AI.
