Your Security Habits Are Starting to Follow You

By Ilya Mirolubov, IT Department, WCH

In 1989, Fair Isaac Corporation introduced a three-digit number that would quietly reshape how Americans borrow money, rent apartments, and demonstrate financial trustworthiness to strangers. The FICO score did not invent creditworthiness. It made it portable, measurable, and impossible to reset simply by changing banks.

The cybersecurity industry is working toward something analogous — and the implications for how organizations manage human risk, and how individuals build professional reputations, are more significant than most people in the workforce have yet registered.

The Problem That $200 Billion Hasn’t Solved

Global cybersecurity spending exceeded $200 billion in 2024. The tooling has never been more sophisticated. Endpoint detection, zero-trust architecture, behavioral analytics, AI-driven threat response — the technology layer has been fortified in ways that would have seemed extraordinary a decade ago.

And breaches keep happening. Not primarily because the technology is failing. Because people are the variable that technology cannot fully control.

The 2024 Verizon Data Breach Investigations Report found that the human element was involved in a significant majority of confirmed breaches — through phishing, credential misuse, errors, and social engineering. These are not edge cases. They are the dominant attack surface.

Security teams have known this for years. The response has largely been training — awareness programs, phishing simulations, annual certification requirements. The approach has improved. It has not solved the problem, because training measures exposure to information, not actual behavior. Someone can complete every assigned module and still paste sensitive data into a public AI tool the following morning.

“Training measures exposure to information, not actual behavior. Someone can complete every assigned module and still be your highest-risk employee.”

Measuring What Actually Matters

The shift underway in the security industry is from measuring training completion to measuring behavior. The distinction sounds incremental. The operational difference is substantial.

A human risk score — the term used across various platforms and frameworks in the field — aggregates observable security behaviors into an individual-level assessment that updates continuously rather than annually. The inputs are practical and already present in most organizational environments.

Phishing simulation performance: not just whether someone clicked, but whether the behavior changed after targeted follow-up, and whether improvement held over time. Training engagement: completion speed, assessment scores, whether someone revisits material after a simulated failure. Data handling practices: whether sensitive files are being moved to unsanctioned storage, whether confidential information is being entered into public-facing AI tools, whether clean-desk and screen-lock practices are maintained. Incident reporting: whether the person who spots something suspicious reports it or ignores it.

No single data point defines a person’s security posture. The aggregate, tracked over months and years, creates a profile that is considerably more useful than a training certificate — and considerably more honest about actual risk.

For organizational decision-making, the application is direct. Access provisioning calibrated to demonstrated behavior rather than job title alone. Training assignments targeted at actual gaps rather than delivered uniformly to everyone. Heightened monitoring for individuals whose scores indicate elevated risk. Recognition and professional advantage for individuals who consistently demonstrate strong habits.

“A human risk score is considerably more honest than a training certificate — and considerably more useful for the organizations relying on it.”

The Portability Question

Here is where the development becomes genuinely consequential for the workforce — and for the healthcare industry specifically.

Historically, an employee’s security track record was invisible beyond their current employer. A person with five years of exemplary data handling practices, zero phishing failures, and consistent security reporting produced no transferable credential when they moved to a new organization. A person with a pattern of risky behavior — repeated phishing failures, documented policy violations, known data handling lapses — arrived at a new employer as an unknown quantity.

Both individuals went through the same onboarding. Both started from the same baseline. The new employer inherited risk it could not assess.

The concept of portable cyber credentials proposes to change this. The idea — actively discussed in security and workforce circles — is that a verified, standardized record of an individual’s security behavior could travel with them between employers, in the same way a financial credit score travels between lenders.

The practical mechanics are still developing. Standards for what gets measured, how it gets verified, and who controls the record are live questions without settled answers. But the direction is clear, and the economic logic driving it is compelling on both sides of the employment relationship.

What It Means for Employees

For individuals with strong security records, portability is straightforwardly valuable. A demonstrated history of security-conscious behavior becomes a professional credential — verifiable evidence of being a low-risk, high-responsibility hire in an environment where every organization is acutely aware of the human variable in their security posture.

In competitive hiring situations, particularly for roles involving access to sensitive systems or data — which in healthcare describes an enormous proportion of the workforce — that credential has real value. It accelerates onboarding. It justifies greater initial access. It signals something about professional discipline that a resume cannot convey.

For individuals with problematic records, portability introduces accountability that did not previously exist. A pattern of risky behavior that previously reset with each job change would instead follow the individual — not as a permanent disqualification, but as a documented history that prospective employers could factor into their decisions.

“In healthcare, where virtually every role involves access to sensitive data, a verified security record could become as professionally relevant as a license or certification.”

What It Means for Healthcare Organizations

Healthcare carries particular weight in this conversation. The sector handles some of the most sensitive personal data in existence. It has been the most targeted industry for ransomware and data breaches for more than a decade running. It employs a large, highly mobile workforce — clinical staff, administrative teams, billing departments, remote coders, contract workers — whose individual behaviors directly affect patient privacy and organizational compliance under HIPAA and state law.

The cost of a healthcare data breach reached an average of $9.77 million in 2024 — the highest of any industry for the fourteenth consecutive year, according to IBM’s Cost of a Data Breach Report. The human element is present in the majority of those incidents.

Against that backdrop, the ability to hire with verified behavioral data, calibrate access and monitoring to demonstrated risk levels, and build a workforce culture in which security habits are recognized and rewarded is not a marginal improvement. It is a meaningful change in organizational risk management.

The organizations that begin treating security behavior as a measurable, manageable dimension of workforce performance — rather than an annual training obligation — will be better positioned as this capability matures. The infrastructure to do this, in some form, is already available. The cultural shift it requires is harder, and it starts with leadership treating human risk as seriously as technical risk.

“Healthcare has been the most targeted industry for data breaches for more than a decade. The answer is not more technology. It is treating human behavior as a managed risk.”

The Credit Score Analogy, Revisited

The FICO score was not universally welcomed when it arrived. Privacy advocates raised concerns. Employers worried about misuse. Critics questioned whether a number could fairly represent the complexity of a person’s financial situation.

Those debates were legitimate then. Similar debates will accompany the development of portable cyber credentials — about who controls the data, how disputes are resolved, what protections exist against misuse.

But the underlying dynamic is the same. When the stakes are high enough and the measurement is accurate enough, portable behavioral data tends to become standard practice. The financial industry’s credit infrastructure did not eliminate bad lending decisions. It made the information available to make better ones.

The same logic applies to human security risk. Whether portable cyber credentials become mainstream remains uncertain. What is becoming increasingly clear, however, is that organizations are moving toward more continuous and behavior-based approaches to measuring human security risk.

Sources:

  1. Verizon Data Breach Investigations Report (DBIR), 2024
  2. IBM Cost of a Data Breach Report, 2024
  3. World Economic Forum Global Cybersecurity Outlook, 2024
  4. CISA Human Risk Management Resources
  5. NIST SP 800-50: Building an IT Security Awareness and Training Program
  6. SANS Institute Security Awareness Report, 2024
  7. HHS Office of Civil Rights HIPAA Security Rule Guidance on Workforce Training

Discover more from Doctor Trusted

Subscribe to get the latest posts sent to your email.

Discover more from Doctor Trusted

Subscribe now to keep reading and get access to the full archive.

Continue reading