Should the principles of Herd Immunity be applied to cybersecurity training?
Instilling good security hygiene practices into the workforce is a great way of managing specific risks. As a goal, everyone should be included, but that may not be achievable at any given moment. So, at what threshold should success be measured?
This is where our partners in healthcare may have a good theory that we can borrow.
Applying Herd Immunity theory to our world of behavioral attacks may provide valuable insights. If an immunity threshold is not maintained, then social attacks like phishing can easily propagate. It doesn't mean infections will never occur, but it does limit how they could spread, and how early such attacks can be identified, reported, and addressed.
Given the ebb and flow of new employees and the general behaviors of people, training is never 100% effective all the time. But having a security savvy workforce is a powerful tool in preventing and detecting certain behavior based cyberattacks.
So what percentage do you think? Would 85%, 90%, 95% be enough to tip the balance? Thoughts?