The surge of conversation around zero trust has included one really interesting topic for me: risk scoring and adaptive authorization. Depending on a number of factors, your score changes. Depending on your score, you get access to different things or are monitored differently. From a pure technology perspective, this is exciting. It means there won’t be so many heavy-handed security measures in place.
The more interesting thing to me about this is the potential to truly change behavior and mindset around an individual’s interaction with technology and the risk that comes with that. To me, it’s an opportunity to achieve a level of ownership that years of sometimes horrible and sometimes okay security awareness training engagement have failed to accomplish.
Principles Behind Risk Scoring
Risk scoring will likely look different depending on the organization or the industry. However, the consistent themes I’ve observed, thus far, should help in facilitating the exploration in this article. There are also vendor tooling-specific implementations of zero trust risk scoring, including:
- Crowdstrike scoring a given device’s risk based on user activity, association with vulnerability or exploit activity, role of the user, whether or not it’s managed, and more.
- TrendMicro scoring attempts to look across a number of input sources including interaction with SaaS applications, endpoint activity, email activity, and more.
- Okta scoring scores a given user or authentication event based on data around geolocation, behavioral information from the user making the request, previous failed authentication activity, and more.
The vendor community will likely continue scoring in various ways that build upon or extend its respective solutions, intending to support broader zero trust initiatives within an organization. Depending on how an organization intended to implement and use risk scoring, it may be building decision logic on top of vendor scores or collecting, aggregating, and normalizing them, and then making their own scores to connect more of their environment together.
How Risk Scoring and User Behavior Change Are Connected
There are many examples backed by solid research that can be a powerful aid to reinforcing behavior change to support goals, particularly when people have access to data relating to behavior. To make an analogy outside of cybersecurity, think about devices like Fitbit or Apple Watch and how people may walk or exercise more when presented with their daily steps or their daily rings.
In an organizational context, dashboards are built and displayed so that people and teams can adapt to meet their goals. Goal-setting systems such as objectives and key results support this approach with frequent measurement and adaptation.
Circling back to zero trust scores and security awareness efforts — security teams strive to educate their user communities around behaviors in topics such as:
- What types of devices do they use for work: personal devices versus managed devices?
- Where do they work? Do they log on from a coffee shop, the office, a WeWork, or work from home?
- What data do they access? How do they use it? Where do they store it?
I have a hypothesis that making zero trust scores transparent and visible to users will drive ownership and accountability over their behavior and how it relates to security outcomes. This is similar to what happens when someone starts counting their calories and tracking their steps.
Final Thoughts
Users are not robots; they won’t all behave exactly the same way or do exactly the same thing. If a user knows what measures are going into a risk score, they can make decisions that support the score that works for them. When that risk score is connected to them getting their job done, when it’s connected to the amount of friction they may receive with respect to step-up authentication or deprecated permissions or access, then they can own decisions that best meet their needs and circumstances.
This is the empowerment of end users. This is ownership over the day-to-day things that influence security. This is enablement. This is also a part of the bigger zero trust journey.
Want more cybersecurity insights? Visit the Cybersecurity channel:
