Praxis Security Labs has announced Praxis Navigator as a unified Human Risk Management solution. It calls it a “unified, human cybersecurity data platform for measuring and optimizing organizations’ cyber resilience using behavioral data.”
Praxis sees Navigator as key to helping organisations move from security awareness training to Human Risk Management (HRM). It will allow them to measure an organisation’s security culture and provide visibility of how it is improving.
Kai Roer, founder and CEO of Praxis Security Labs, said: “68% of modern cyber incidents can be traced to what is referred to, misleadingly and unfairly, as ‘human error’. The truth is that social engineering attacks – and, increasingly, AI-augmented social engineering attacks – have introduced a new world of security challenges.
“Security Awareness Training no longer cuts it, making the new approach of Human Risk Management essential. Our aim is to help organizations improve security behaviors through technology, policies and education, automatically.”
What is Praxis Navigator?
Navigator is a new Software-as-a-Service (SaaS) solution that Praxis has developed from scratch. While it is the first release of this product, it has been under test with several customers. The company has also released a roadmap showing what it intends to deliver over time.
The solution consists of three pieces of functionality: an analytics engine, a visualisation engine and a recommendations engine. To get data into the product, an API is used to extract data from multiple data stores that the customer uses. Praxis lists these as MS Defender, Office 365, incident reports, phishing and spam. The roadmap does not list additional products from which Praxis intends to extract data.
Once the data is extracted, it is used to:
- analyse an organisation’s unique human behavioural data
- identify connections, behaviours and potential security risks specific to that organization
- interpret the results based on cutting-edge research and best practices, to deliver recommendations and mitigation plans specific to the organisation and context
- provide valid, useful metrics to track security interventions
The way Navigator presents the analysis of the behavioural data and its presentation to the IT team is interesting. It breaks the analysis into multiple streams, including behaviour, human factors and policy. It then shows where it has identified something and places that on a timeline for all the streams. That provides an opportunity to detect cause and effect.
More importantly, that analysis also allows for the addition of external factors such as user security training. Mapping that to the timeline of events shows what changes as a result of those events and allows organisations to see what is effective and what isn’t.
Providing an ROI
One of the biggest challenges of cybersecurity awareness training is proving that the money spent has delivered any deliverable benefit. It is something that Roer has talked about several times in blogs and other articles. According to the Praxis website, Navigator sets out to provide such an ROI.
On its website, Praxis states, “Praxis Navigator calculates the financial benefits and ROI of following the recommended courses of action, helping the business side of organizations to understand the impact of risk, security and resilience.”
Just what that ROI involves is unclear. Does it capture the cost of any training? What is the cost of staff taking the training? Does it then apply that to the potential reduction in risk? How does it calculate that risk, and how has the training reduced it? Also missing is how it calculates the cost of any breach which may have occurred. For example, how would it calculate what the breach and its impact might have been?
Without all that information, it is hard to see how valid the ROI is. It will be interesting to see what data Praxis shares later on its ROI calculation.
Enterprise Times: What does this mean?
Moving away from what is generally pointless and unverifiable security training makes sense. Companies are investing a lot of time into training, but that doesn’t seem to reduce the number of attacks and mistakes. Compounding the problem is the amount of time spent phishing and testing their staff. In most organisations, all that does is demonise staff who make mistakes.
What Praxis is doing is changing that conversation. Organisations can still provide targeted training, but now they have a way to see what the impacts are. The analysis and visualisations that Praxis offers with Navigator will inform value judgements around user behaviour and risk.
The question is, how will organisations use that information? Will they take it and improve security? How many really want to move away from training, something they know, to Human Risk Management? That’s a question we will only know when Praxis reveals sales figures in the future.
