A Security Patch for Your People


I want to introduce you to David. David is the Chief Information Security Officer for a sizeable financial institution. He is an educated career professional, a loving husband, and a devoted father. He takes his job as CISO very seriously. The responsibility of protecting his organization’s digital assets, including sensitive and regulated customer information, weighs heavily on him. The other thing you need to know about David is that he is fictitious. He was invented to relate this hypothetical yet altogether realistic experience. 

David is responsible for overseeing a large departmental budget. The expenditures his department makes on security technology is significant. He has deployed the latest in network perimeter protection, application scanning, and endpoint protection. Yet, he is uneasy and often anxious, feeling that despite all the money his organization has authorized for security technology, something is still missing. 

David tries to stay abreast of the latest security technology, processes, and strategies. He reads security related journals and reports voraciously. Just the other day, he read in a report that 20% to 30% of people, globally, will make a poor decision when presented with a well-crafted phishing email. 

He knows that up to 97% of cyber threats include some element of social engineering. David can’t help but wonder how effective his expensive security technology systems will be against the most likely security event – a threat unwittingly introduced by an employee. 

He’s not sure what he’s supposed to do. He’s not responsible for human resources. He can warn and harangue HR about the threats posed by untrained system users, but it’s mainly out of his control. This lack of control over what users will do is what keeps David up at night. He worries about employees that might click on the wrong link or visit a malware-infested website. He knows that his reputation in the industry and even his job could be in jeopardy if his organization experiences a high-profile breach. 

Let’s give this story a happy ending. Let’s introduce David to Annabelle. Annabelle, although also fictitious, represents LUCY Security. LUCY provides a platform that allows organizations to measure and improve the security awareness of employees and test their IT defenses. Fortunately, LUCY Security is not fictitious. 

Annabelle met with David and explained that LUCY has developed a unique tool that would allow him to test his security and help it evolve against cyber threats on both the people side and the system side simultaneously. Over many years, LUCY has gathered their collective IT-security knowledge and created templates and wizards that are effective and easy to use. 

With this approach, David can quickly carry out a variety of campaigns:

  • Phishing simulations
  • Awareness training
  • Technology assessments 
  • Malware simulations
  • Simulated ransomware attacks

LUCY customers include: 

  • Energy companies 
  • Financial services
  • Government agencies
  • Healthcare
  • Manufacturing industries
  • Other global organizations.

LUCY is just what David needs. After meeting with Annabelle, he could already feel some of his stress and anxiety dissipate. For a fraction of the cost of his technology solutions – which will stay in place – David can work with HR to test the cyber-hygiene of all the company’s employees. He can run personalized simulated attacks to find the weak spots both in his technology as well as the human infrastructure. 

Using LUCY, David can now create policies that enforce training for employees that fail simulated attacks. An added benefit is that the same LUCY functionality that tests employees will also defend against real attacks. 

As employees suspect a phishing attack, real or simulated, they click a button in the email application that alerts security to the event. If it was a simulated attack – good job employee, if it was a real attack, a difficult situation was just averted. 

If you are like David and have a vested interest in the security of your organization’s IT systems and data, you can create your own happy ending. While we can’t introduce you to Annabelle, you can check out LUCY Security to see how you can test, train, and engage your IT and human networks. 


Steven Bowcut, CPP, PSP is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Facebook, Instagram, and LinkedIn.