网络安全文化的新时代——人工智能如何促进组织安全文化建设

How to harness AI to promotesecure workplace behaviors KPMG International | kpmg.comKPMG. Make the Difference. Introduction A strong cybersecurity culture is whenpeople do the right thing, understand whycybersecurity is beneficial for the business,encourage and challenge others, and admitwhen something has gone wrong. Akhilesh TutejaGlobal Cyber LeaderKPMG International In today’s digital and highly interconnected businessenvironment, organizations are rapidly adopting ArtificialIntelligence (AI). While this is exposing organizationsto new risks, it is also creating countless opportunities,such as new ways to improve operations and efficiencies,unlock value, and grow competitive advantage. include how to overcome change resistance, how toadopt emerging technologies securely without slowingdown innovation, how to manage interconnectedsystems securely, how to make the most of metrics andmeasurement, and more. Therefore, KPMG, along withCybersecurity at Massachusetts Institute of Technology(MIT) Sloan (CAMS), part of Sloan Management SchoolCybersecurity Research Division, set out to gain a betterunderstanding of cybersecurity culture, its challenges,and how AI could make an impact.2 Some forward-thinking organizations are experimentingwith AI in their cybersecurity function, to improve riskdetection and response. However, an aspect that holdsgreat potential, but is somewhat unexplored, is howAI can help organizations to boost their cybersecurityculture, especially when it comes to cyber Human RiskManagement (HRM). In early 2024 we undertooka quantitative survey ofapproximately40 cybersecurityleaders, subject matter experts,and cross-industry executivesfrom diverse industries andforums. To explore this idea, in early 2024 KPMG and MITundertook a quantitative survey of approximately 40cybersecurity leaders, subject matter experts, and cross-industry executives from diverse industries and forums.3 Cyber HRM is essential to cybersecurity culture, as theway people manage technology is the window throughwhich threat actors can infiltrate organizations. A Verizonstudy found that 68 percent of cybersecurity breachesinvolved a non-malicious human element, such as aperson falling victim to a social engineering attack ormaking an error.1 This survey asked about the current level ofcybersecurity culture in organizations, views on thepotential of AI to influence cybersecurity behaviors, andcurrent approaches to measuring cybersecurity culture. The survey was supported with qualitative researchvia eight in-depth interviews with cyber executives,including Chief Executive Officers (CEOs)/Co-founders,Vice Presidents (VPs), Chief Information SecurityOfficers (CISOs), Cyber AI/Automation Leads, and cyberHRM professionals across multiple regions. In all organizations, but particularly ones with diverseways of working across geographies, building acomprehensive and sustained cybersecurity culture canbe challenging. Cybersecurity culture complexities can About Cybersecurityat MIT Sloan This report draws on this research, as well asthe experience of the MIT and KPMG teams,and explores how AI can impact cybersecurityculture. Firstly, it defines the characteristicsof a strong cybersecurity culture and the keychallenges that organizations face in creating one.It then explores the potential of AI to enhancecybersecurity culture, and offers some actionable use cases for organizations to apply — includingcontent personalization for high impact, enhancingmeasurement capabilities to support cyber HRM,real-time risk recognition and remediation, tailoringsecurity controls to different people, and more. Thisreport offers seven considerations to transformyour cybersecurity culture through embracing thepower of AI. Cybersecurity at MIT Sloan (CAMS) isa research consortium filled with someof the most well-known companiesin the world. CAMS conducts andpublishes fundamental research on themanagerial, strategic, organizational,and governance issues in cybersecurityleadership. Actionable insights onrisk management, cyber governanceof boards of directors, operationaltechnology cybersecurity, cyberresilience and many more areas are partof the research agenda in addition tobuilding and managing a cybersecurityculture. This study is one of the first to consider the impacts of AI on cybersecurity culture. Whilewe see AI impacting just about every aspect of our business today, the impact it is having(and potentially will have) on the way our people do their jobs is something every managermust consider. To ignore the impacts of AI on the values, attitudes, and beliefs that drivethe behaviors of our colleagues is to leave open one of the biggest vulnerabilities from cyberthreats that our organizations face today. Dr. Keri E. PearlsonExecutive Director, Cybersecurity at MIT Sloan MIT Sloan School of Management The rapid adoption of new technologies, in particular AI, is increasingthe attack surface for organizations and introducing new ri