It’s an unfortunate fact, evident to both those who work in security and those who don’t, that security awareness training in its current form isn’t working.
Security awareness training is now a regulatory requirement in many industries. Even in industries in which it isn’t, organisations large and small voluntarily invest in security awareness training in an effort to prevent data breaches. And yet data breaches are still commonplace – with human error often being either a cause or catalyst in the majority of breaches.
It’s clear that traditional tick-box security awareness training efforts aren’t working. They’re not working because, in many cases, business think only about ‘awareness’ – about what people know.
That’s all well and good. But if raising awareness fails to change people’s behaviour in practice (which is frequently the case), raising it becomes pointless. Awareness is necessary but not sufficient for tackling human cyber-risk.
To reduce human cyber-risk, security awareness training must go beyond raising awareness and should also focus on changing behaviour and building a culture of security simultaneously – together known as ‘ABC’.
This last pillar, culture, is the one that businesses often struggle with.
Businesses struggle, on the one hand, to influence and improve their security culture. They also struggle to measure that culture: leaders don’t know what to assess or how to assess the improvements they’re trying to make.
How are they to know whether culture is developing, and in what way? Where are the weak points in the security culture? And what can be done to rectify this?
It’s a conundrum members of our behavioural science team has been mulling over for many years. How do you quantify cybersecurity culture? Poring over the scientific research, the team have been able to settle on seven criteria, set out below.
Measuring these seven dimensions puts businesses on the right path to achieving a people-centric security culture, and can reveal clear ways to reduce risk, increase resilience, and steer culture towards something more people-centric.
Employees need to have faith in both the processes in place and the individuals who put the processes in place if employees are to follow the processes. If there is a feeling of uneasiness or mistrust towards the choices of an organisation then it’s unlikely that the appropriate behaviours will be maintained.
Trust also needs to work both ways. Reciprocal trust between staff and the organisation is essential for effective engagement with cybersecurity. Often, employees are monitored heavily and their behaviour is restricted excessively. Research shows such an approach to be questionable.
2. Just and Fair
A ‘Just & Fair’ culture emphasises shared security accountability between leaders and staff. In turn, shared accountability ensures breaches are reported as and when they occur, which allows organisations to limit damage and learn from mistakes. Not only do employees need to trust in the competence and decision-making capabilities of their organisation, but they need to feel confident and comfortable enough to speak up when confronted with security issues or a suspected security breach. Clearly, employees that are unjustly monitored or blamed for security-related issues are incentivised to keep quiet when issues arise.
3. Resources and communication
By providing employees with security-related communications and material, awareness can be increased and a strong security culture can be bolstered. It is important to provide employees with contextualised material that is specific to their role, industry and level of experience, so that they are aware of the actual threats that could be posed to an individual in their position. Organisations may use a variety of modes to deliver their awareness content, such as posters, desk drops and face-to-face training.
4. Productive security
Security policies designed to aid productivity are more likely to be followed. Sadly, security policies are often developed without fully understanding how people work in organisations. Such security policies prohibit productivity. And, because people’s mental resources are limited, such security policies force employees to make a choice. They can either follow the policies and crawl through their to-do lists at a snail’s pace, or they can shape security policies around their existing responsibilities.
In fact, research shows that people routinely craft their own versions of security policies when official policies are cumbersome and poorly implemented. If employees feel like they can’t be secure and productive at the same time, then it’s likely that organisational security policies need some work. The NCSC in the UK refer to this as “you shape security” - a collaborative process to develop productive and secure policies. Productive security requires integrating good security habits into the business processes.
Collaborative security efforts – efforts that span the entirety of a workplace – can prevent more cyberthreats than solo attempts at threat prevention.
Research has shown that the most at risk employees often delegate security to another source. This other source can be something technological, such as the assumption that an antivirus will block all attacks, or it can be another person or department within the organisation.
6. Ease and choice
Research indicates that those who feel comfortable performing a task are likely to continue doing it, while those who struggle are likely to stop.
One way to make someone comfortable with an experience or behaviour is repetition, which sequentially, increases familiarity. Within cybersecurity, this could involve employees practicing reporting potential breaches periodically, so that the process feels familiar and easy.
If people within an organisation feel like others will disapprove of security policy compliance (for example, if they feel they’ll be looked down upon for sacrificing productivity in an effort to follow security policies), then security policies are unlikely to be followed.
A wealth of research has shown that a primary driver of behaviour is whether or not an individual believes other people they consider to be important approve of it. These important people may be their immediate colleagues or line management but might also include personal contacts such as family and friends.
Oz Alashe, CEO and founder, CybSafe