Cybercrime continues to evolve and become more sophisticated and 2018 was a prolific year for successful cyberattacks, many of which were caused by human error. A recent report from KnowBe4 revealed that 92 per cent of organisations rank users as their primary security concern stressing the importance for organisations to establish a security culture and ensure that their users are trained and tested to help combat the growing frequency of ransomware, phishing and crypto jacking attacks being experienced by businesses of nearly every size, vertical and locale escalation.
The goal of security awareness training must ultimately be about improving the behaviour of employees who have the potential of undermining the security provided by the organisation’s security infrastructure. So where do we start? Firstly, there is a critical difference between ‘awareness’ and ‘behaviour’ and the importance behind this statement is as a security professional, what people do means more to me than what they know. People know lots of things that they don’t care about. What really matters is how they behave.
So, how can we influence security-related behaviours when it comes to influencing security behaviour? It’s helpful to first look at effective marketing strategies: the field of marketing has been working for a long time at influencing behaviour and there’s a lot that can be learnt from studying marketing principles and practices. For instance, a product’s marketing strategy may contain several distinct events, but it would not be successful if there were only one event per year. This is exactly the reason that advertisers continually target us with messages, images and stories about their product and how it fits into our lives. In the end, marketing is about effecting hearts, minds and attitudes with the goal of influencing behaviour. …and it works.
The drip marketing technique
Let’s focus primarily on one specific marketing strategy that can (and should) be applied to your security awareness program. This is the concept of “drip marketing.”. It’s compelling stuff and particularly relevant in the context of security awareness.
A drip marketing campaign consists of providing a prospect with a set of information, then providing them with additional information depending on how they behaved while in possession of the first set of information (did they read the information, did they perform an action based on digesting that information, etc.). Raising the security awareness level of a user works in a similar way. If you provide the end user with meaningful, engaging security content on a frequent basis, you will help them to better retain the information, while improving the security posture of the organisation.
Making it relevant
Typically, security awareness training is viewed as a compliance exercise that is carried out once a year in ways that don’t feel relevant to employees. We inundate them with information with minimal context, relevance, empathy or engagement. This approach doesn’t provide a meaningful way for people to digest and retain information. It also does nothing to enhance the security posture of an organisation.
Dr. BJ Fogg (founder of the Behaviour Design Lab at Stanford University) created the Fogg Behaviour Model, which shows that three elements must converge at the same moment for behaviour to occur: motivation, ability and trigger. If the behaviour fails to occur, at least one of those three elements is missing. The model delves into whether a task is easy or hard and whether or not it takes much or little motivation. The model looks at how to increase motivation or decrease how hard the task is to do. This drives home the point of putting a message out at the right time (a trigger) such as putting a sign about secure shredding near a printer. It’s near the machine which prints potentially sensitive information that could later need shredding. An additional step such as adding a picture of peers disposing of paper the right way (to create social pressure), or a picture of a baby (to increase motivation by thinking of the future) could serve as motivation.
There are a range of both overt and subtle ways that can be used to influence behaviour. Some of the more overt ways include simulated phishing exercises, automated blocking of inappropriate behaviour and redirection to related training, visible surveillance cameras, login banners letting people know that they are being monitored, etc. When people know they’re being tested and evaluated based on their behaviour, they tend to pay more attention.
Content dripping (where you start someone off with a bit of information, then continue sending them similar information depending on what they choose to engage with) can serve as a more subtle, contextual and relational way to influence thought and behaviour over time. As with drip marketing, frequent touch points are the way to go when it comes to security awareness training.
Security awareness training is really about behaviour modification: helping users to be more sceptical and less gullible about cybercriminals’ attempts to fool them, less likely to share information that could be used by cybercriminals to create customised messages, being more careful about opening attachments, verifying senders of emails, and so forth. Influencing behaviour isn’t easy, but by taking a leaf out the marketers’ book, security professionals will be more successful in their security awareness training efforts.
Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4
Image Credit: Photonphotos / Bigstock