“Organizations should move from pure awareness to behavioral change. This can be achieved with positive communication and creating learning opportunities as well as providing constant reminders. Especially in stressful situations, the intervention of an AI assistant can not only achieve a learning effect but also provide positive feedback with tips and understandable instructions, which have an impact on work performance and also on the employee’s understanding.” 

Dr. Martin J. Krämer is a Security Awareness Advocate for KnowBe4 and has over ten years of experience in industry and research. He earned his doctorate from the University of Oxford with a thesis on privacy in the shared use of smart home devices. His research contributes to a better understanding of the human factors in cybersecurity. Martin believes that companies need to empower and encourage their employees to achieve resilience in cybersecurity. He regularly speaks and writes on the topics of Security Awareness and Privacy Behavior. 

Read on and through our interview with Martin and you will gain a much better understanding of how businesses can leverage cybersecurity as a competitive advantage, how organizations can stay ahead of AI-powered cyber threats, and how AI is now playing a key role in the field of cybersecurity defence. 

How do you perceive the role of AI in the future of cybersecurity defense mechanisms?   

In the area of security awareness training, for example, generative AI can be used to select the best phishing templates or training content such as videos, comics, quizzes, or presentations for the desired case. AI-driven phishing is particularly suitable for employees who routinely fail phishing simulations. It is not only suitable for this group but also for those who have so far forwarded the least suspicious messages to the IT department. There is the danger of dormant phishing bait, which is overlooked and activated weeks later out of ignorance. KnowBe4 has introduced the Artificial Intelligence Driven Agent (AIDA) to provide users with a more personalized learning experience that adapts to their specific roles, current level of knowledge, phishing and training performance, and risk factors using AI-driven phishing and AI-recommended learning capabilities. 

How can organizations stay ahead of AI-powered cyber threats? 

Organizations can stay ahead of AI-powered cyber threats by training their employees on phishing emails and similar social engineering methods such as deepfakes or voice fakes, which are also created with generative AI. The KnowBe4 algorithm analyzes each employee’s unique data as well as attributes and compares them to the historical behavioral data of millions of KnowBe4 phishing test users. It then identifies and evaluates the phishing templates that match each employee’s skill level. The algorithm then selects a sophisticated phishing security test from the templates approved by the security awareness officer and adjusts the level of difficulty accordingly. Generative AI helps to create a completely customized learning experience. This can minimize the likelihood of an employee of an organization clicking on a phishing link. If phishing no longer works for cybercriminals, they either choose another victim or have to spend more money and time on another method. In any case, cyber resilience can be strengthened, and IT security experts can feel a sense of achievement. 

What strategies do you recommend for addressing the human element and insider threats effectively in cybersecurity? 

First of all, the human element must not be overlooked as it can be used to mitigate 70-90% of all security incidents. Generative AI can help personalize and optimize security awareness training. More effective training increases employee commitment to protecting the organization from external and internal threats. For example, the actions of insiders by bringing their own unapproved IT into the workplace, especially USB sticks, but also other data carriers, can be recognized through training. Employees are then not only warned and therefore become more attentive, but they also know what to do in the event of misconduct by others. Identifying reporting channels and knowing reporting processes and procedures enables good decision-making and secure behavior. In all cases, however, it should be realized that the human element does not have to be the weakest point of an organization if appropriate training is carried out regularly and is verifiably. 

How can organizations foster a culture of security awareness among their employees?

Organizations should move from pure awareness to behavioral change. This can be achieved with positive communication and creating learning opportunities as well as providing constant reminders. Especially in stressful situations, the intervention of an AI assistant can not only achieve a learning effect but also provide positive feedback with tips and understandable instructions, which have an impact on work performance and also on the employee’s understanding. Like coaching, employees learn how to deal with simulated cyber dangers while working. In the event of a real threat, they can rely on what they have learned and develop an instinct without overreacting. In addition, modern security awareness programmes should identify and train champions who can provide their colleagues with advice and support in case of doubt and relieve the burden on the IT security department.  

How can businesses leverage cybersecurity as a competitive advantage? 

First, a resilient organization will have fewer security incidents than one that isn’t. The competitive advantage can therefore be explained by the fact that claims are less frequent. Investing in cybersecurity also shows partners and customers the will to protect the business, for example from supply chain attacks. Another factor, of course, is compliance and auditing, which require a certain level of cybersecurity. However, companies should go beyond this and develop cybersecurity as a business priority. 

In addition, robust cybersecurity can also become a pull factor for employees, especially during security awareness training. Employees can train potential colleagues more quickly if they are not only aware of the dangerous situation, but have also changed their behaviour accordingly. The greater self-confidence in the face of cyber dangers and the desire to be able to protect one’s own company as well as oneself and one’s relatives from cyber risks in private life should not be underestimated. If these attributes can also be mentioned in job interviews, the employee’s important desire for job security will be fulfilled. It also underscores the company’s ability to innovate and its confident handling of AI technologies.