Human Risk. PHOTO: Cybercrime Magazine.

CybSafe Taps Behavioral Analytics To Manage Human Risk

Counterterrorism experiences shaped Evolution Equity Partners-backed innovator

David Braue

Melbourne, Australia – Nov. 21, 2022

Oz Alashe knows all about the security mistakes that people make: for 17 years as a counterterrorism and national security expert with the UK Special Forces, he relied on those mistakes to find persons of interest all over the world.

“I got to spend quite a bit of time chasing people, trying to dissuade unpleasant people from being so unpleasant,” he told Cybercrime Magazine. “We just had to find them first, and to understand how they funded themselves.”

It was through his time in that role that Alashe came to appreciate the degree to which human error was compromising the security that the criminal underworld otherwise depended upon to stay hidden from authorities.

“We got a really good look and understanding of how people make mistakes with technology in order to enable us to find them,” he explained. “My introduction to cybersecurity was actually through the world of counterterrorism and national security.”

That introduction, as these things do, opened doors and set Alashe — who majored in economics before entering the elite Royal Military Academy Sandhurst and completing a Master of Arts in Defence Studies at King’s College London — on a collision course with an industry where the impact of human error is being felt on a daily basis.

In 2017 he started up CybSafe, a cyber security training firm that was founded to take a different approach than firms that focused on rote, repetitive training — a strategy that has been adopted by myriad firms in a global security awareness training market that is expected to be worth $10 billion annually by 2027.

“There are lots of players in this space, and we contend that people are trying to do the same thing, really,” Alashe explained.

“For too long as a community, we have tried to train or educate our way out of this challenge — the belief being that if you educate people, they will be better behaved when it comes to security, and that will reduce risk.”

Rather than trying to stand out from the crowd by doing the same thing better, Alashe built CybSafe on a different foundation shaped completely by behavioral data — specifically, a massive catalog of security behaviors and microlearning content, fronted by mobile and web apps that detect and proactively influence users’ security behaviors with personalized “nudges.”

“We’ve been focused on trying to tackle this issue of managing human risk from an intelligence and data and science-driven space,” he explained. “We’ve literally cataloged every single security behavior, and articulated its linkage to the risk outcomes that most security personnel are concerned about.”

Careful analytical work has demonstrated that the approach delivers better outcomes than just “bombarding people with information or hitting them up with phishing simulations,” Alashe said.

“Everything we do is built on a sound evidence research base, and the data that we produce is specifically designed to give an insight and a level of visibility into human risk that organizations can’t get right now.”

Mapping the Evolution of human risk

Alashe’s approach to behavior modification resonated with investors, with the firm completing a $7.9 million series A fundraising round in 2021 and, this July, a $28 million Series B led by Evolution Equity Partners.

Evolution “was well known to us because they have such a wonderful track record of working with great companies and interesting founders,” Alashe said, “and of having a number of successes in security.”

The investment firm’s interest in the platform emerged shortly after early customer successes — in telecommunications and other large firms — led Alashe to be introduced to Evolution’s partners.

“It became very clear that we were nicely aligned in our obsession over tackling this big issue of the human aspect of cybersecurity — and, in particular, moving beyond tick-box awareness training and phishing simulations, and actually fundamentally transforming the way society addresses human risk.”

That transformation is proving increasingly important as businesses try to address the human-generated root cause of ongoing compromises, such as phishing campaigns, that are leading to crippling ransomware attacks.

Global ransomware costs will pass $265 billion by 2031, Cybersecurity Ventures has predicted, with a ransomware attack expected every few seconds by then.

If such attacks can be prevented by nudging users away from potentially unsafe behaviors — for example, by checking privacy settings on their social media accounts or asking users to be careful about what they share online — Alashe said the entire organization’s risk profile can be improved.

“These things make it easier for malware and ransomware groups to plan and conduct their attacks,” he explained. “There are so many security behaviors associated with ransomware that most organizations aren’t even addressing, beyond telling people through training that they should take these things seriously.”

“You can tell people as much as you like, but we’re not seeing the changes in behavior — so we’re trying to focus on actually changing those specific behaviors.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

About Evolution Equity

Evolution Equity Partners is an international venture capital investor partnering with exceptional entrepreneurs to develop market-leading cyber-security and enterprise software companies.

Based in New York City and Zurich, Switzerland, the firm is managed by investment and technology entrepreneurs who have built companies around the world and leverage their operating, technical and product development expertise to help entrepreneurs win.

Evolution has interest in companies utilizing big-data, machine learning, artificial intelligence, SaaS, mobile and the convergence of consumer and enterprise software to build leading information technology companies.