Welcome back. We have our DEEP framework which was explored in the previous blog post, and discussed in depth in our most recent human risk management (HRM) whitepaper, but a framework is only useful if we can apply it.
The problem is, we don’t have “users.” We have a complex collection of individuals, each with different motivations, pressures, and levels of security savvy. A one-size-fits-all approach is doomed to fail.
To build a truly effective strategy, you need to stop thinking about a monoculture and start thinking about personas. In our experience, most human risk falls into four key categories:
The Socially Engineered Victim: The well-meaning person who gets duped by a clever con because it played on their trust or sense of urgency. They didn’t mean to cause harm; they were tricked.
The Accidental Insider (Oops, My Bad!): The person who makes an honest mistake, like sending an email with sensitive data to the wrong “John,” misconfiguring a cloud setting, or using a weak password out of habit. There’s no malice, just a momentary lapse.
The Convenience-Driven Rule-Bender (Just Trying to Get My Job Done!): The person who knows the rules but finds them cumbersome. They might use an unsanctioned file-sharing service or a personal device because it’s faster, prioritizing efficiency over policy.
The Malicious Insider (The Wolf in Sheep’s Clothing): The rare but high-impact individual deliberately trying to cause harm, steal data, or disrupt operations.
A phishing simulation is great for the first persona, but it does nothing for the other three. This is where we need a map. Introducing the DEEP Matrix.
The Matrix is a simple grid that allows you to map your security controls—both technical and human—across the DEEP framework for each of these distinct personas. It’s a powerful diagnostic tool that forces you to think about your defenses in a more nuanced way.
|
User Risk |
Defend (Stop it getting in) |
Educate (Teach ’em right) |
Empower (Help ’em choose well) |
Protect (Limit the damage) |
|
Social Engineering Victims |
🟢 Email filtering/gateway 🟢 Link protection services 🟢 Attachment sandboxing 🟢 AI-based anomaly detection 🟢 Domain monitoring |
🟡 Phishing simulations 🟡 Security awareness training 🟢 Contextual security tips 🟡 Social engineering tactics training 🟡 Red flag workshops |
🟢 One-click phishing reporting 🟢 Security champions programme 🟢 Peer recognition 🟢 Security decision support 🟢 Clear escalation |
🟢 Automated incident response 🟡 Just-in-time warnings 🟢 Account compromise containment 🟢 Post-click protection 🟢 Credential monitoring |
|
Accidental Insiders |
🟢 Data classification automation 🟡 Guardrails for common errors 🟢 Smart defaults 🟢 Automated compliance checking 🟡 Preventive controls |
🟡 Data handling training 🟡 Security implications of actions 🟡 Role-based education 🟡Mistake-focused case studies 🟢 “Think before you click” |
🟢 Simplified security interfaces 🟢 Plain language policies 🟢 Self-service security tools 🟢 Supportive (not punitive) culture 🟢 Security champions |
🟡 Data Loss Prevention (DLP) 🟢 Automated data redaction 🟢 Mistake recovery procedures 🟡 Confirmation prompts 🟢 Automated backups |
|
Convenience Bypasses |
🟢 Secure paths made easy 🟢 Frictionless authentication🟢Secure-by-default configs 🟢 Remove workaround incentives 🟢 Streamlined security |
🟡 Risk awareness of shortcuts 🟢 Explaining “the why” of policies 🟡 Consequences of bypassing 🟡 Secure alternatives training 🟡 Compliance education |
🟢 Self-service secure file sharing 🟡 Password managers 🟢 Single Sign-On (SSO) 🟢 Secure collaboration tools 🟢 Security friction feedback |
🟢 Shadow IT discovery 🟡 Automated policy exceptions 🟢 Secure alternatives to bypasses 🟢 Policy violation monitoring 🟢 Graceful degradation |
|
Malicious Insiders |
🟡 Least privilege access 🟡 Separation of duties 🟡 Just-in-time access 🟡 Privileged access management 🟢 Enhanced background screening 🟡 Advanced DLP |
🟡 Insider threat awareness 🟡 Ethics training 🟡 Legal consequences education 🟡 Recognising concerning behaviours 🟢Whistleblower protection |
🟢 Anonymous reporting channels 🟢 Positive security culture 🟢 Clear acceptable use policies 🟢 Employee assistance programmes 🟡 Management training |
🟢 User behaviour analytics 🟢 Data access monitoring 🟢 Unusual activity alerts 🟢 Offboarding security controls 🟢 Forensic readiness |
By plotting your existing controls, you can instantly see where your gaps are. You might realise you have dozens of technical controls to Defend against social engineering but almost nothing to Empower the “Convenience-Driven Rule-Bender” with secure, easy-to-use alternatives. Or perhaps you have plenty of policies to Educate the “Accidental Insider,” but no automated Protect controls like Data Loss Prevention (DLP) to catch their mistakes in real-time.
But there’s one more crucial layer: The Friction Conundrum. Every security control adds friction. If a control is too annoying—like that ridiculously over-packaged toy on Christmas morning—people will find a way around it. The Navigator uses a simple traffic light system (🟢🟡🔴) to rate the friction of each control, helping you balance robust security with user productivity. The goal isn’t to eliminate friction, but to be intentional about where you apply it.
You now have a framework and a map. You can see your gaps and understand your people. The question is now, how do you power this whole strategy at scale?
In our next, and final, blog post in this series, we’ll look at the engine room—the intelligent technology required to bring your human risk management strategy to life.
