Why Organizations Should Aim for a Risk-Adverse Culture, Not Just Compliance

For many organizations, security training boils down to a checkbox exercise: prove that every employee completed the mandatory awareness course. However, according to John Curran, principal consultant at FTR Solutions and co-founder of Intrinsic Aware, this approach misses the mark entirely. Instead, companies should focus on cultivating a risk-adverse culture — one where security is embedded in everyday behavior, not just a one-time lesson.

Curran argues that a risk-adverse culture goes beyond policies and procedures. It requires shifting away from a blame-oriented mindset, where employees fear reporting mistakes, toward an environment that encourages open dialogue about security incidents. “Unfortunately, many organizations have created a blame culture, and an environment where people don’t think of the information security function as good people to talk to when something bad happens,” Curran explained during a recent presentation.

The Pitfalls of a Blame Culture in Cybersecurity

When employees are afraid to speak up, the entire security posture suffers. A blame culture discourages incident reporting, leaving vulnerabilities unaddressed. Statistics show that nearly half of all security breaches stem from human error — including phishing attacks and lost USB drives. Yet, despite this reality, organizations invest only 3-5% of their security budgets in awareness and training. This underinvestment, Curran says, is a critical oversight.

Building on this, he emphasizes that having policies in place is not the same as engaging staff. “All too often, organizations make the mistake of thinking that simply having policies and procedures in place for user awareness is sufficient. This is not the same thing as engaging your staff and ensuring they understand the company’s security needs.”

How to Foster a Risk-Adverse Culture Through Training

Creating a risk-adverse culture requires more than just annual training sessions. Curran outlines several goals for effective security awareness programs:

• Employees should clearly understand what is expected of them.
• They must learn appropriate skills and behaviors for different situations.
• Ultimately, staff should feel willing and able to discuss or report suspected incidents. “Having a culture in which people are open to the discussion of risk and that they feel safe and able to report incidents is core,” Curran notes.

To achieve these goals, organizations need to move beyond passive learning. Curran advises using interactive methods such as testing, immediate feedback, and personalized learning pathways. For example, creating security learning pathways tailored to different roles can help employees retain information better. Additionally, providing rationale at the end of training modules reinforces why security matters.

Practical Tips for Engaging Security Training

Curran offers several actionable strategies for designing awareness courses that stick:

• Be careful with branding when creating training materials — keep them professional yet relatable.
• Create learning security pathways that guide employees through progressive topics.
• Offer immediate feedback during the test process to reinforce correct answers.
• Provide rationale at the end of each module to explain the “why” behind security rules.
• Trace performance, progress, and levels of engagement to identify areas for improvement.

He also references the Chimp Paradox Theory to explain why changing behavior is difficult. “Our goal in the awareness process is to keep the monkey quiet while we are talking to the human and push as much of that into the computer as possible,” Curran said. In other words, training should aim to automate good security habits so they become second nature.

The Role of Incident Reporting in a Risk-Adverse Culture

One of the most critical components of a risk-adverse culture is encouraging incident reporting. When employees feel safe admitting mistakes, organizations can respond faster and prevent larger breaches. Curran stresses that a blame-free environment is essential for stakeholder engagement. “People shouldn’t be afraid of reporting incidents,” he says. “It’s not conducive to stakeholder engagement.”

To build this trust, companies should celebrate reporting rather than punishing errors. For more insights on creating a positive security culture, check out our guide on building a security-first workplace.

Conclusion: Moving Beyond Compliance

In summary, organizations must shift their focus from mere compliance to cultivating a risk-adverse culture. This means investing in ongoing, engaging training that empowers employees to act as the first line of defense. By addressing the root causes of human error and fostering open communication, companies can significantly reduce their risk exposure. As Curran aptly puts it, “Having a culture in which people are open to the discussion of risk and that they feel safe and able to report incidents is core.”

Ready to transform your security awareness program? Explore our best practices for security awareness training to get started.

How Bad Bots Could Use the Yahoo Breach to Bite Back

Do you still use a Yahoo email account? Were you among the 500 million users affected by the massive breach disclosed in September 2016? Even if you think you’re safe, the Yahoo breach bots threat is real and growing. Cyber-criminals are not just after your emails—they want to exploit your credentials across multiple platforms.

Many people with old Yahoo accounts they rarely check assume the risk is minimal. But is that complacency justified? To understand the danger, you must grasp the cyber-crime opportunity that 500 million compromised accounts represent. This is not just a data leak; it’s a goldmine for automated attacks.

What Was Stolen in the Yahoo Breach?

Yahoo confirmed that the hack occurred in late 2014, stealing email addresses, hashed passwords, and other personal data. Hashing, especially using bcrypt, is a strong security measure—it scrambles passwords so criminals cannot read them directly. So, are users safe? Not exactly.

For a cyber-criminal, the sheer volume is the prize. Imagine that just 0.1% of those 500 million users chose one of the 50 most common passwords. By testing each, attackers could compromise 500,000 accounts. Yahoo allowed Quocirca 20 login attempts without questions, making brute-force testing easy for bots.

These stolen credentials can be tested against any online service that accepts an email address as a username. An e-ticketing site, for example, might be far more valuable than a Yahoo email account alone. This is where credential stuffing comes into play.

Credential Stuffing: The Bot-Driven Attack

The OWASP handbook lists 20 automated threats, including credential cracking and credential stuffing. Credential stuffing uses bad bots to take verified username-password pairs from one breach and try them on other sites. If 1% of the 500,000 compromisable Yahoo accounts have reused passwords, that yields 5,000 pairs that could unlock bank accounts, social media, or corporate systems.

Think about it: 5,000 accounts is just 0.001% of the total stolen. If someone told you that 0.001% of people are careless about security, you’d likely think that’s an underestimate. Bots make it trivial to automate this process across thousands of sites.

This is a real issue with breaches like Yahoo, Ashley Madison, and TalkTalk. A criminal may not care about your infidelity on Ashley Madison, but they will care if you use the same password for your bank account. The account takeover risk is immense.

How to Protect Against Bad Bots

For end-users, protection is straightforward. Use unique passwords for every service, and enable strong authentication where available—Yahoo offers this option. For businesses, the threat is not just fraud but the performance degradation caused by bot traffic. Research by The Aberdeen Group shows that 46% of all online activity is from bots. Some, like Google’s web crawlers, are beneficial, but many are malicious.

Fortunately, there are ways to mitigate automated threats. Vendors like Distil Networks, Akamai, Imperva’s Incapsula, and Shape Security offer technology to differentiate bots from humans and enforce policies on what bots can do. These tools are essential for any organization facing the Yahoo breach bots threat.

Building on this, Quocirca has published an e-book sponsored by Distil Networks that delves deeper into account takeovers and mitigation strategies. You can download it here. For more on securing your online presence, check out our guide on credential stuffing prevention and best practices for password security.

In conclusion, the Yahoo breach is not a relic of the past—it’s a live threat exploited by bad bots every day. Don’t wait until your credentials are stuffed into another site. Take action now to protect your digital identity.

How Nok Nok Labs’ New Risk Engine Strengthens FIDO Authentication for Mobile Users

As mobile devices become the primary gateway to online services, ensuring secure user authentication has never been more critical. Nok Nok Labs, a key player in the Nok Nok Labs ecosystem, has introduced a risk engine designed to bolster the FIDO authentication framework. This move addresses the growing threat of mobile fraud, a challenge that intensifies as smartphones double as both access points and second-factor authentication tools. By integrating risk-based analysis, the company aims to make FIDO authentication not just convenient but also adaptive to evolving security threats.

What Is the FIDO Authentication Risk Engine?

The FIDO (Fast IDentity Online) standard, backed by the FIDO Alliance, provides a robust method for verifying users to web service providers. Nok Nok Labs’ authentication server already enables FIDO-compliant applications, but the new risk engine adds a layer of intelligence. It evaluates multiple risk signals before granting access, ensuring that authentication decisions are context-aware. This approach is particularly vital for mobile environments, where device sharing, location spoofing, and tampering are common risks.

Building on the FIDO Alliance’s momentum—now with over 250 supporters—Nok Nok Labs’ risk engine calculates a risk score based on real-time data. This score determines whether to proceed with authentication or flag suspicious activity. For example, if a user’s device suddenly appears in a distant location within minutes, the engine can block access, preventing credential theft.

Key Risk Signals in the Engine

The risk engine analyzes several factors to assess authentication requests. These signals work together to create a comprehensive security profile for each transaction.

Geolocation and Travel Speed

One critical check is geolocation: is the device in an expected area? Coupled with a travel speed analysis, the engine verifies that the current request aligns with the user’s last known location. This helps detect device spoofing by attackers operating from remote regions.

Device Sharing and Multiple Device Checks

Another signal examines whether a device is shared among users. If a device is registered as non-shared, only one user should access it. Similarly, the engine monitors the number of devices used for a given service; a sudden spike may indicate unauthorized access.

Furthermore, the engine includes friendly fraud prevention, which requires a user-specific biometric—like a fingerprint or facial scan—to activate a shared device. This ensures that even if multiple people use the same phone, only the authorized user can authenticate.

Device Health Check

Device health is also assessed: is the device configured as expected, and are there signs of tampering? A compromised device, such as one with a jailbroken OS, can be flagged, adding another layer of security to the FIDO authentication risk engine.

Why Mobile Fraud Requires Stronger Authentication

Mobile fraud is on the rise as cybercriminals target smartphones for their dual role as both access tools and authentication factors. The risk engine addresses this by providing a seamless experience similar to single-sign-on (SSO) for consumers. However, the real benefit of FIDO lies in its ease of deployment for web service providers. Pre-built solutions like the Nok Nok Authentication Server simplify implementation, and the risk engine makes authentication stronger than ever.

In August 2016, the European Banking Authority (EBA) released draft regulatory technical standards (RTS) on strong customer authentication. The FIDO Alliance lobbied the European Commission, advocating for flexibility in fraud scenarios and the use of mobile devices as authentication elements. The new risk engine aligns with these requirements, enabling payment service providers to adapt to evolving threats while mitigating risks from compromised devices.

Adoption Challenges and Market Outlook

Despite the technical advances, adoption remains a hurdle. Nok Nok Labs reports that business is strong, but pilot projects are taking longer than anticipated. The company is turning to system integrators to spread awareness and drive FIDO adoption. Web service providers often express a desire for better security, but translating that into action requires tools that are both effective and easy to deploy.

For more insights on authentication trends, explore our guide on multi-factor authentication best practices. Additionally, learn how risk-based authentication strategies can complement FIDO standards. As the digital landscape evolves, solutions like the Nok Nok risk engine represent a critical step toward smarter, more secure user verification.