Social engineering threats are increasingly difficult to distinguish from real media. What’s worse, they can be released with great speed and at scale. That’s because attackers can now use new forms of artificial intelligence (AI), like generative AI, to create convincing impostor articles, images, videos and audio. They can also create compelling phishing emails, as well as believable spoof browser pages and deepfake videos.
These well-crafted attacks developed with generative AI are creating new security risks. They can penetrate protective defense layers by exploiting human vulnerabilities, like trust and emotional response.
That’s the buzz about generative AI. The good news is that the future is wide open to fight fire with fire. There are great possibilities for using a custom-built generative AI tool to help improve your company’s cybersecurity awareness program. And in this post, we look at five ways your organization might do that, now or in the future. Let’s imagine together how generative AI might help you to improve end users’ learning engagement and reduce human risk.
1. Get faster alerts about threats
If your company’s threat intelligence exposes a well-designed credential attack targeting employees, you need to be quick to alert and educate users and leadership about the threat. In the future, your company might bring in a generative AI tool that can deliver relevant warnings and alerts to your audiences faster.
Generative AI applications can analyze huge amounts of data about emerging threats at greater speed and with more accuracy than traditional methods. Security awareness administrators might run queries such as:
- “Analyze internal credential phishing attacks for the past two weeks”
- “List BEC attacks for credentials targeting companies like mine right now”
In just a few minutes, the tool could summarize current credential compromise threats and the specific “tells” to look for.
You could then ask your generative AI tool to create actionable reporting about that threat data on the fly, which saves time because you’re not setting up dashboards. Then, you use the tool to push out threat alerts to the business. It could also produce standard communications like email messages and social channel notifications.
You might engage people further by using generative AI to create an eye-catching infographic or a short, animated video in just seconds or minutes. No need to wait days or weeks for a designer to produce that visual content.
2. Design awareness campaigns more nimbly
Say that your security awareness team is planning a campaign to teach employees how to spot attacks targeting their credentials, as AI makes phishing emails more difficult to spot. Your security awareness platform or learning management system (LMS) has a huge library of content you can tap for this effort—but your team is already overworked.
In the future, you might adapt a generative AI tool to reduce the manual workload by finding what information is most relevant and providing suggestions for how to use it. A generative AI application could scan your content library for training modules and awareness materials. For instance, an administrator could make queries such as:
- “Sort existing articles for the three biggest risks of credential theft”
- “Suggest training assignments that educate about document attachments”
By applying this generative AI use case to searching and filtering, you would shortcut the long and tedious process of looking for material, reading each piece for context, choosing the most relevant content, and deciding how to organize what you’ve selected.
You could also ask the generative AI tool to recommend critical topics missing in the available content. The AI might even produce the basis for a tailored and personalized security campaign to help keep your people engaged. For instance, you could ask the tool to sort content based on nonstandard factors you consider interesting, such as mentioning a geographic region or holiday season.
3. Produce fast, fresh and focused content
What about security awareness materials that aren’t in your platform or LMS? Your business no doubt spends a lot of time and money to purchase or develop content such as knowledge assessments and training modules. By taking advantage of generative AI applications, you could produce content faster and at less cost, and release it in more frequent cycles.
When writing or designing content, producing the first draft is often the hardest step. A generative AI tool can save on brainstorming and ideation time by creating a super-fast draft of an article, image or video. You can use that draft as an outline to build on. And, at the end of the creative process, you might run the generative tool again to speed up editing details such as grammar review or matching an intended written or visual style.
Language translations of security awareness content are also time-consuming. You might consider training your generative AI tool to produce the first draft of a translation. Over time, the tool might perform reliably enough to produce near-native readability. Either way, your team would see an efficiency gain along with cost savings by reducing your reliance on external vendors for translation services.
Pushing out new content faster could have a positive impact on your end users’ behavior. You can increase user engagement by providing content that’s fresh, delivering it more often, and focusing on trending topics that feel timely and personal.
As a snake-eating-its-own-tail scenario, the topic of AI has widespread popularity, so use it to spark your employee’s interest. Ask the generative AI tool to produce a sketch of an infographic about generative AI tools such as OpenAI’s ChatGPT and Google’s Bard AI. Or you could ask it to draft an article about intellectual property issues when using AI to create images.
4. Write better internal communications
Speaking of writing, it’s a professional skill that not everyone is comfortable with—including many technically minded people. But for cybersecurity communication, it’s important to find a voice and tone that will encourage people to want to learn and help them feel talked with instead of talked to.
Make generative AI the technician’s writing assistant. This can help you create communications that have a more conversational or consultative tone.
For a threat alert that explains a trending business email compromise (BEC) attack to employees, for example, you might ask the generative AI tool, “Write an email in a soothing tone that explains not to click on document attachments and shows appreciation.” (I gave this exact query to an AI chatbot, and it delivered a well-written draft in about five seconds.)
Generative AI can improve your security team’s productivity in creating internal communications. It gets them past that “staring at the blank page” phase and guides them toward a consultative and conversational style of writing. The result: Security admins can improve their rapport with users whose behavior they are trying to change. Through better communication, they can earn their trust and appreciation.
5. Engage in an ongoing conversation with users
As attackers increase their use of AI to create and release threats, security awareness programs must keep pace. Now is the time to rethink traditional training. Consider adapting a generative AI application that is collaborative, continuous and responsive to the modern threat environment.
Imagine a future where you can layer a generative AI tool between your security awareness platform and the end user. An employee clicks a link in a phishing email that is designed to simulate the supplier risk attacks your business faces. This initiates an interactive dialogue with the generative AI that is contextual to the user’s behavior, their responses and the learning objective of the phishing simulation.
The generative AI tool, which has been trained by the security team, asks that person for their thoughts about the action of clicking the link, instead of just sending a security policy reminder. This type of experience might inspire your employees to help advance their behavior change journey. In the future, generative AI offers a great opportunity to have a thoughtful conversation about how to reduce risk for the company.
With generative AI, human oversight is essential
Generative AI can exploit human vulnerabilities in powerful ways. And every person must take steps to be aware of these risks and protect themselves.
The future of AI technology can also have a significant impact on your security awareness program. But security awareness teams must make sure that results are vetted by human oversight and accountability. Human at the beginning, human at the end. That includes:
- Fact checking and double-checking AI-generated advice and information to confirm it is sound
- Screening for inherent bias, misinformation, hallucinations, distorted facts and made-up citations
- Conducting peer reviews of AI-generated content for readability and a natural tone
- Reviewing language translations performed by AI tools with rigor to verify their accuracy
To learn more about the present and future of security awareness programs, register for our September 26 webinar, “Key Cybersecurity Takeaways from Protect and Wisdom 2023: People-Centric Security for the Modern Attack Chain.”
Subscribe to the Proofpoint Blog