Why Security Awareness Training Should Be Backed by Security by Design

As a starting point, an individual will always choose to be productive in their current role over behaving securely…

Daniel Norman, Senior Solutions Analyst at the ISF

Cybersecurity training needs an overhaul, though the training itself is only one small part of how security teams can influence user behavior.

As IT organizations struggle with the security implications of remote working arrangements and the already lackadaisical attitudes about security that permeate across the enterprise user base, now is the time to change how security teams influence their users’ behavior. So say experts at Information Security Forum (ISF), which this week released new guidance on how to move beyond tepid security awareness training toward more all-encompassing strategies.

Most security leaders still struggle to develop security education and awareness initiatives across the workforce resonate with users and promote sound security behavior, ISF reports. Some 65% of the ISF membership, on which its report is based, say their employees’ receptiveness to existing security training is very low to medium. Some of the biggest challenges named by these respondents include a lack of applicability to job roles, mixed or inconsistent messages, and poorly developed content.

In the report “Human-Centred Security: Positively Influencing Security Behavior,” ISF recommends organizations not only overhaul their security training programs, but also fundamentally change the role training plays in prodding employees to make consistently secure choices both in the digital and physical world. Central to that is taking up the mantle of secure behavior by design.

The concepts of “safe by design” or “secure by design” are well-established psychological enablers of behavior. For example, regulators and technical architects across the automobile and airlines industries prioritize safety above all else.

“This has to emanate across the entire ecosystem, from the seatbelts in vehicles, to traffic lights, to stringent exams for drivers,” says Daniel Norman, senior solutions analyst for ISF and author of the report. “This ecosystem is designed in a way where an individual’s ability to behave insecurely is reduced, and if an unsafe behavior is performed, then the impacts are minimized by robust controls.”

As he explains, these principles of security by design can translate to cybersecurity in a number of ways, including how applications, tools, policies, and procedures are all designed. The goal is to provide every employee role “with an easy, efficient route toward good behavior.”

This means sometimes changing the physical office environment or the digital user interface (UI) environment. For example, security by design to improve phishing susceptibility might include implementing easy-to-use phishing reporting buttons within employee email clients. Similarly, it might mean creating colorful pop-ups in email platforms to remind users not to send confidential information.

“As a starting point, an individual will always choose to be productive in their current role over behaving securely. If the security element of an end-to-end process adds additional friction, this needs to change,” Norman says. “Once additional risks have been identified, organizations will be better positioned to redesign the digital and physical environments to guide, motivate, and enable individuals to behave securely.”

Central to the push to security by design is keeping the importance of user experience in UIs top of mind.

“This is the visual interface of which an individual may be exposed to any number of threats that could potentially result in a security incident,” he says. “The design of these systems must enable them to effectively manage and mitigate threats or report potential incidents as quickly as required.”

Security by design is the backstop to solid security training, which should still play a vital role in human-centered security initiatives. But training needs to be revamped at most organizations to make a difference. ISF believes organizations need to buckle down and improve their training content to be more tailored to employee roles, focusing on high-risk user groups first. Behavioral psychology and educational research also indicates that to be more effective, training needs to be more emotionally engaged and more frequently delivered.