Human behaviour in organisational security – Frontline defense or lost cause?

Users must remain ever-vigilant against adversaries who are looking to exploit their mistakes.

In spite of the rapidly increasing number of media reports about security threats and breaches, organisational and individual behaviours generally still demonstrate a woeful lack of awareness about security.

Poor security decisions are made all the time, from the use of overly simple passwords, to the common decision to opt-out of additional security measures like two-factor authentication. When individuals make such decisions, they put themselves at risk; however, within enterprise environments, poor security practices among employees can put the entire organisation at risk. Cyber attackers are aware of this and are constantly developing new tactics to try and catch employees off-guard.

So how can security leaders help change their users’ behaviours and better manage the risks to their organisation? Is it worth trying to train the workforce in matters of security, or are users just a lost cause that need not be invested in?

Awareness or Training?

First, let’s examine the options. It is important to differentiate between user security training and user security awareness. Security training is designed to equip users with basic skills to respond to potential security threats. If we think of the example of first-aid training, a person trained in first-aid is by no means a qualified doctor, but they do possess some basic life-saving skills. Similarly, a person with basic security training will possess some critical skills, but not the depth of training required to be a fully-security-conscious employee.

User awareness training refers to a more generic and widely applicable programme that can apply to all employees in an enterprise. This kind of training does not necessarily equip users with the skills to respond, but it can help users get better at identifying potential threats. In many ways, this is similar to ‘if you see something, say something’ campaigns that are prevalent in many big cities around the world where the general public is asked to report any person or objects that may appear suspicious.

If a company wants to change the security behaviour of their employees, then both of these elements much be a part of their training programs.

Show me the ROI!

Whether your focus is on awareness or training, effectively measuring the return on your training investment is a tall order when dealing with the human element of security.

To draw useful conclusions, analysis of employee behaviour needs to be done over a relatively long period of time. In many ways, changing security behaviour is akin to encouraging people to recycle or to stop driving drunk – increasing the number of people that replace bad habits with good ones is a slow process that requires a lot of time, patience and many repetitions of the same messages to accomplish. However, these analogies are somewhat limited because while their messages are stable and static, within the security context, an intelligent adversary can simply adapt and refine their methods of attack as users get smarter. As this happens, the messages conveyed to employee must also be updated to keep them informed of the latest potential threats.

In order to measure success, enterprises need to have clearly defined measurable goals and desired outcomes before they develop and implement security awareness or training campaigns. Without these, it will be very difficult, if not impossible to measure their true effectiveness.

Approaches

I have spoken with a number of CISO’s across various organisations, and have not identified the dominance of any single standard approach to employee training. In the most basic programs, security responsibilities and expectations are laid out to employees during on-boarding with annual refreshers given to reinforce the message. Material presented in such training is typically developed internally and is specific to a particular company. However, many people admitted that this top-down approach is not an overly effective method of changing employee behaviour.

Organisations which are required to provide some form of user awareness or training due to a regulatory or compliance framework tend to opt for a structured platform comprised of education modules that can be tailored to the specific needs of employees. Multiple choice quizzes given at the end of each module enable organisations to maintain records and track completion.

For enterprises looking for a more proactive approach to learning, hands-on social engineering and phishing campaigns are also available. Such campaigns will typically send out phishing emails to all employees. If a user clicks on the offered link, they will be presented with educational information about the dangers of clicking on suspicious links or opening attachments from untrusted sources.

Strategies work best when they suit the culture of the organisation. For example, in some environments, a tactic like ‘gamification’ – the use of gaming techniques (like point scoring, and competition with others) to encourage broader engagement, could work well and has the potential to engage users to a level not previously achievable.

Increasing chances of success

There are a wide range of options available to allow enterprises to impart security knowledge to users, but the underlying questions which remain are the best ways to measure behavioral improvements and what increases an organisation’s chances of success. After all, simply citing a statistic like 80 per cent of staff have watched an educational film or completed a quiz does not say much on its own if there is not insight into how this has impacted their behaviour.

However, CISOs that have rolled out successful awareness campaigns tend to stress the following points as being fundamental to measuring improvements. Firstly, a benchmark has to be established to find out what the current level of awareness is, what the desired outcome is, and which delivery mechanism would be most appropriate to a company’s culture. Secondly, successful programs are those with continuous user engagement and a focus on interaction – a yearly ‘death by PowerPoint’ presentation is generally accepted as being the least effective method.

Thirdly, the material presented needs to be as engaging as possible. Many CISOs suggest using content created primarily by marketing, design and communications experts with technical oversight provided by subject matter experts, to be able to reach and engage the widest possible audience in an impactful way.

Building Rome

Changing behaviour takes a long time and requires sustained effort. Teaching users to not click on suspicious links or open malware-laden attachments isn’t going to happen overnight. Environmental campaigners spent many years educating the public on the dangers of pollution and the need for recycling. Now we’ve reached the point where most office buildings have a line of different waste bins to maximise recycling. Similarly, road-safety campaigns have existed for many years, but it is still necessary to continually remind the public of the dangers associated with driving under the influence of drugs or alcohol.

In order to achieve significant results, the security industry also needs to think outside the box and strive to find the most effective ways to engage the workforce and encourage them to adopt behaviours that will help keep their own information and their company’s assets secure.

But regardless of the approach taken, the only certainty is that the attacks will keep coming, and users, far from being a lost cause, will continue to find themselves on the security frontlines and must remain ever-vigilant against adversaries who are looking to exploit their mistakes.

Javvad Malik, Security Advocate at AlienVault

Image source: Shutterstock/jijomathaidesigners