Steve Durbin, Chief Executive of the ISF and Forbes Business Council Member.
Developing a human-centered security program may be the smartest investment you can make for a secure future.
Steve Durbin, Chief Executive of the ISF
While many organizations have a security awareness training program in place, few trigger real behavior change or cultural shifts. Existing programs tend to focus on compliance, designed with a one-size-fits-all approach, and they rarely result in sustained changes to security behavior. We know the current approach isn’t working because the number of data breaches attributed to human error continues to climb — from 88% in 2018 to 90% in 2019, according to data from the Information Commissioner’s Office (ICO) in the UK.
We need to reassess how best to teach people. It’s not enough to make them aware of potential threats — we need to model, encourage and motivate individuals to behave securely. A human-centered security program will consider roles, psychological processes, attitudes and even the method and structure of communication. However, changing behavior in the long term is a complex task. It requires careful planning of an interdisciplinary strategy that caters to specific roles and is backed by solid metrics that demonstrate a return on investment.
Establish A Behavioral Baseline
Pull in rich datasets and perform statistical analysis, leveraging historic risk assessments, data loss prevention and user behavior analytics. Break your data down by role, department, location and across the entire organization. Before you can design an effective program, you must understand how your workforce is behaving and why.
Qualitative information provides valuable insight into patterns of behavior, and it can be gathered in a number of ways. Run focus groups, and critically observe how employees behave. Examine the applicability of policy, processes and systems. Factor in digital and physical environments, too. The aim is to reveal weaknesses in your organization’s current approach to education, training and awareness.
With a big picture view of security behavior across the business, you can drill down to a granular level to find where there might be a lack of motivation, where communication is breaking down or where leadership values are not filtering through. Find the areas that require investment and target them. Establishing this behavioral baseline is crucial if you want to measure progress over the long term.
Tailored Content And Emotional Engagement
Forcing every employee to complete the same training, with no regard for their input or the applicability to their role, is a recipe for disaster. Blaming and shaming can have a deeply negative impact on morale and will not encourage the behavior you want. It’s vital that individuals feel safe to express opinions and concerns and can challenge the status quo of traditional education and training mechanisms.
Targeted and tailored content is a vital piece of this puzzle. Every employee faces different security threats, so training should be contextualized to address specific roles. Creating role-based security training programs, executive training for senior leaders and security mentoring schemes leads to far greater levels of engagement than traditional “blanket” security training.
Training also needs to engage people on an emotional level. It should be stimulating and even entertaining. Gamification is a great way to boost buy-in; you can recast problems as puzzles to be solved, encourage teamwork and competition and motivate with rewards. If people enjoy it, there is a far greater chance it will stick in their minds. Praise the behavior you want to see publicly through internal communication channels.
Regularity is crucial, but people only focus effectively for short periods, so security awareness, training and education need to be delivered in short bursts and at frequent intervals. Remember that people have different learning preferences and mediums they respond best to, so deliver bite-sized chunks of visual and audio content. Mix up the delivery, but keep the central branding and messaging consistent, and attach memorable cues like jingles, slogans and phrases.
Secure Behavior By Design
Redesign the digital infrastructure, the user experience and interfaces that people interact with to guide individuals to behave in a certain way. Security must not add friction to already busy job roles. It should be easy for people to effectively manage threats and report them quickly. A simple button to report a suspected phishing email is a great example. Rather than having to figure out who it needs to be reported to and where they should forward the message, they can just click that button right in the email and it will be investigated.
The physical environment can also be redesigned to foster secure behavior. For example, make it easy to shred documents after meetings, and include privacy screens for laptops. Desired behavior can also be encouraged by “nudges” to do the right thing — security messages and reminders in public areas, apps that prompt people to complete training modules, visual and audible reminders that direct people to think about what they’re doing. Conscious and subconscious cues can have a profound psychological impact on behavior.
Budgets are often cut for traditional security training because they don’t lead to a clear and quantifiable impact. It’s crucial to develop metrics and continuously assess the impact of your human-centered security program. Examine how your initiatives are impacting individual behavior. Look for changes in motivation, proficiency and attitudes.
Demonstrate a reduction in the expected losses associated with human error and negligence, factoring in the cost of financial penalties, loss of service and cost to remediate. You can calculate the money you are saving with a reduction in incidents and compare it to the cost of your program to prove it’s worthwhile.
We know that people can be influenced and manipulated by attackers, but the same principles can be applied positively by the security function of an organization. Developing a human-centered security program may be the smartest investment you can make for a secure future.