Building a More Behaviour-focused Security Awareness Program

According to certain analysts, companies have invested?billions in initiatives to raise information security awareness. This approach aims to tackle the most significant security threat?—?human behaviour ?— by modifying it through training programs and instruction on their roles in the event of a security incident.

Yet despite regular security awareness training, these activities have not fully succeeded because?human error and acts of negligence?continue to make employees gullible to social engineering ploys. The reality is that security awareness programs may fall short in certain areas:

• They are not aligned with business risks.
• They are not measured or valued appropriately.
• They make incorrect assumptions about people and their motivations.
• They set unrealistic expectations from users.

Going beyond conventional approaches: 7 recommendations

A simple knowledge transfer — making people aware of their information security responsibilities and how they should respond — is no longer enough. The success of information security programs must be evaluated on their reduction of risk rather than what people know (or don’t know).?Here are recommendations on how organisations should approach their awareness programs:

1. Align security awareness around business risks

Security awareness programs should be driven by the need to reduce overall business risks. For compliance risks, organisations may have to demonstrate that all employees have received information security awareness training. For operational risks, organisations should focus on protecting critical assets and concentrate on areas with the most vulnerable exposure and individuals with the highest risk profiles. For strategic risks (such as loss of reputation), organisations may need a behavior change or intervention to engage employees in their security responsibilities.

1. Target behavior change, not awareness

It’s not to say that knowledge isn’t important, but it isn’t valuable unless it translates into positive behaviors. Part of this translation will be to provide users with the skills, assets and motivations they need to make the knowledge real. For instance, making policies, training and other materials easily accessible; distributing privacy screens, secure removable storage, and commercial-grade password managers at no cost; having leaders lead by example and citing security policies regularly; attaining a clear alignment between the intended behaviors that senior management are seeking and the systems and controls that are put in place.

1. Look into alternative methods

Communication and training are not always the answer. What looks like people resisting could be a lack of?clarity ; what looks like people being lazy could be a lack of motivation; what looks like a people problem might be a situation problem. It’s easy to blame people when things go wrong. The root cause of a problem behavior could be a complex system with a cumbersome process or a problem with the physical environment. Organizations that experience a tailgating problem might need physical barriers that prevent tailgating instead of asking people to verify each other’s badges. A preventative approach might also be an answer – designing systems and processes with people in mind and infusing security from the outset.

1. Set realistic timescales

Treat behavior change as a long-term exercise because setting a short-term target could lead to disappointment. Senior management will want to see results in shorter timescales. Start with a small group that can be monitored closely. Ideally, security awareness should be a multi-year project based on the benefits it could deliver in the short term and the long term. Benefits may include lowering the organization’s risk profile, reducing the cost and frequency of security incidents, and improving risk management reporting.

1. Empower people

By winning over hearts and minds, it becomes possible to influence behaviors and mindsets. When employees feel trusted, motivated, and empowered, they are inclined to show the desired behaviors and take accountability for their actions. This involves understanding their difficulties and offering the necessary tools and training at their preferred pace. When positive behaviors become ingrained in the organisational culture, information security becomes a fundamental aspect of established norms and practices.

1. Move from tell to sell

People are busy; they have many conflicting priorities. Moving from ‘tell’ to ‘sell’ aims to connect personally, logically and emotionally with people. This can include several factors such as developing a strong security identity, deploying innovative solutions that make training activities distinctive and memorable, treating people as individuals and not applying a one-size-fits-all solution, tailoring programs according to skills and audiences, and implementing tools and processes that are simpler and more integrated.

1. Hold people accountable

Employers need to explain their security expectations clearly. Positive security behaviors should be identified and recognised through performance reviews, while unacceptable behaviours should be held accountable. All communications and training should stress that security is a key business asset and that deliberate non-conformance will be addressed constructively at an individual level.

As stakeholders (and regulators) continually push for stronger cyber security governance, the need to shift from awareness to tangible behaviours becomes urgent. Encouraging positive security behaviours among employees will surely help security teams build a stronger security posture and inspire confidence in everyone.

Empower your employees to take the first step towards secure behaviours with the ISF Cyber Security Showcase Week