Inserting AI into cyber awareness

Increase in agents

KnowBe4 CEO Bryan Palma believes AI would lead to an increase in people and agents, stating that “AI makes us more productive”. This could result in the number of agents being deployed in cyber security increasing and in fewer people being employed; however, the attitude at KnowBe4 is to train the workforce regardless of whether they are human or machine.

“We don’t care as, ultimately, we’re going to prepare your organisation and your workforce to be trained correctly and be an advantage for you in the market,” he says. “Now it is probably 100% humans we train and zero agents, tomorrow it may be 60 humans and 65 agents.”

That movement towards agents and giving them employee-level support is something that industry experts are beginning to discuss as the adoption of AI-based options increases. Palma claims that this adoption of support for agents is “about security culture, which is the outcome that we’re trying to build”.

“The reality is that agents will be part of your security culture, and bots will be part of your world,” he says. “If we turn the clock forward a few years, you will have multiple bots that work for you, and you’ll tell them to do things and they will work independently. Instead of managing only people, you’re going to need to manage bots as well.”

This move is all about culture, and agents have to be part of that culture “just as humans would be”, he adds.

Workforce trust management

Palma states that the company’s direction is towards the concept of “workforce trust management”, an extension of the original security awareness training and the more commonly used term “human risk management”.

According to Palma, workforce trust management considers autonomous security, which governs and trains both humans and AI agents, as the workforce will be diverse: “You need to protect them all, as each can be a vulnerability.”

The obvious question is how AI and automated functions are changing both workforce trust management and KnowBe4’s core awareness and training mission. Computer Weekly asked Palma about this move towards automation and whether there was enough of a grasp of the roll-out of automated tasks in the way that KnowBe4’s technology works.

Prior to joining KnowBe4, Palma says the company was thinking about automation and developing around it. His ambition has been to accelerate this development.

“I’ve put more focus on it and more investment behind it. I want to accelerate what we’re doing, but we have six agents in the market – we were already doing this, and it becomes critical because it allows our system to run better,” he says.

As an example of workforce trust management in action, Palma says that one of its agents created a phishing landing page to save time for the IT and cyber security teams to continually build new versions of the phishing tests.

Donna Huggett, information security education and awareness manager at Belron – the parent organisation of Autoglass and Safelite – tells Computer Weekly that she uses KnowBe4 for phishing simulations. She states that the AI-enabled technology “helps us cut down a huge chunk of work”, as time was previously spent on developing templates and choosing the right one to use, the options in KnowBe4’s Artificial Intelligence Defense Agents (AIDA) system do the work for you.

Huggett adds that this determines the level of phishing message to be sent to an employee – for instance, those who need to be challenged more and who will receive slightly harder emails. “And that’s all automated now, so that’s a massive help,” she says.

Paul Maxwell, cyber security engineer at retailer Poundland, says he primarily uses KnowBe4 for phishing simulation. Poundland used 115 templates but found that some were no longer working. This required new templates to be built, and it “was adding 35 hours a month” to his workload as users became savvier and he needed to create trickier emails.

“I spent a good couple of hours at night thinking, ‘That’s a good one, that’s going to catch people out.’ With that kind of stuff, you can’t just go half measure, you’ve really got to try and catch them out,” he says. “Because if you don’t catch them out, you don’t help them learn.”

He explains that the most effective options were those that appeared to come from HR, such as clicking to claim annual leave, and finance and IT issues, including updating to Windows 11. However, the staff engagement has seen an increase in reported phishing attacks. While Maxwell admits that each alert takes time to investigate, he acknowledges that the platform has been helpful.

“This is exactly what I need to help me move security forward in the business, but also to take a step back and look at other areas I need to focus on,” he adds.

Automated agents

In terms of automated agents, Computer Weekly asked Palma if the intention was to add machine learning to enable the examples mentioned earlier, and if it could get to the level where it could replace the practitioner’s need to do awareness training by determining the right campaign for employees.

In Palma’s experience, some people are not seeing the benefit of using machine learning, rather than turning fully to AI-based systems and generative AI (GenAI).

“Everybody wants to think GenAI, or next generation,” he says. “We’ve had lots of machine learning and regular vanilla AI for a long time, and that’s still very meaningful and does a lot of the work, but conceptually it will absolutely look and say, ‘Hey, these are the mistakes you’re making’, or ‘These are the mistakes the system is making’ and how you solve that.”

Palma says that the development of agents has increased over the past year, and he sees a future where “our email, our training, our compliance is all going to be in one single platform”, which will allow KnowBe4 to add in components and capabilities as it moves forward.

Different-sized businesses

Looking at the ability for small and medium-sized enterprises (SMEs) to adopt these technologies, in an effort to improve their cyber security faster than large enterprises grounded in corporate IT security best practices since the late 1990s, Palma says: “The bigger organisations have more people, more processes, so they tend to move slower. The smaller organisations are going to be very efficient – many of our SMEs don’t have a CISO, and they don’t have an information security department.

“Now, if they have three or four agents that can help them around workforce trust, they’re going to be happy about that. So, adoption at that part of the market is going to be faster and quicker.”

This move to offer automated technologies is one where the company can move with the times, but the question is how adaptive practitioners are to this new form of technology to do this straightforward task. Creating phishing templates is a time-consuming task, and creating emails takes time and effort – and this is without beginning to consider the energy required to filter through the phishing simulation results.

It is interesting to see this adoption of the newer ways of working, and perhaps the next step will be for practitioners to go all in on an agentic approach. Being able to offload a cumbersome task and see the results without hours of extra work would surely be worth the effort.