The Evolution of Risk Auditing for Cyber Behavior


  • 95% of corporate cyber-attacks involve human error.
  • A new audit tool has been developed to allow auditors to go deeper into the qualitative aspects of these risks.
  • The perception of risk auditing today has shifted from, “did it occur?” to, “did it work?”

It’s no secret. Businesses are becoming far more susceptible to cyber-attacks and the problem is only getting worse. Last week, the FBI released a statement informing homeowners and small businesses that a new Russian malware program has infected over half a million wireless routers in 54 countries. To help defend against cyber-attacks like these, a company may undergo a risk audit to evaluate its cyber security in the major areas of prevention, recovery, and business continuity. However, a crucial component of mitigating cyber-risk is often overlooked. People.

Before cyber-attacks became so prevalent, risk audits were relatively simple for businesses to complete. Employees were typically tested on internal control procedures until all questions were answered correctly. For an incorrect answer, an employee would likely be called back by the auditor to review their mistake. In some cases, they could even be asked to retake the entire assessment. That strategy is no longer sufficient.

The Charlton College of Business at UMass Dartmouth has developed a new audit tool that goes deeper into the areas of cyber awareness. After conducting a survey, Associate Professor of MIS at UMass Dartmouth and codeveloper of the audit tool Timothy Shea stated he was, “surprised to find that about 50% of the 1000 participants felt ill-prepared to handle a cyber-breach during the day-to-day operations of their business.” Through a straightforward questionnaire, this new method evaluates the various forms of risk that come along with the combination of business activity and technology. The objective of the tool is to show auditors and executives what information employees retain, as well as the behavioral changes that result.

The audit tool will be licensed both independently and with multiple organizations as apart of a learning package to improve employee cyber training.

It is an unpredictable world. According to an IBM study, Nearly 95% of corporate cyberattacks involve human error. Completing an assessment is not enough. Cyber-attacks occur daily. It should be expected of employees to further prove their knowledge and compliance towards mitigating cyber-risk. Only true behavioral change will lead to effective internal control.

If a fire started in the office, anybody’s first thought would be to reach for the nearest extinguisher. That instinctive behavior is what managers must begin to instill in their employees regarding cyber awareness. It is time to stop focusing on whether a risk audit has been complete, but rather, start asking the essential question. Did it work?