Author: Daniel Norman
11 Dec 2020

Many, if not all, organisations run some form of ‘security awareness’ campaign with differing degrees of impact and success; whether it be an organisation-wide phishing simulation or mandatory yearly e-Learning, many have to perform security awareness to adhere to regulations or standards. In stark contrast, the security incident and data breach statistics related to human behaviour, specifically negligence and error, are shocking, and have consistently been on the rise – this prompts the question, why is security awareness failing so dramatically?

To answer this question, we need to work backwards – we need to understand what fundamentally drives security behaviour and critically assess why security awareness in isolation cannot influence it.

At its heart, security behaviour, and importantly, behaviour itself is incredibly complex and susceptible to persuasion and influence. A number of disruptive internal and external ‘factors’ can have a profound impact on the security behaviour of an individual and workforce as a whole. Whilst biological and physiological factors can impact behaviour too, ISF research found that there are six key factors that can be observed, manipulated and impacted by an organisation:

The three internal factors relate to an individual’s psychological processes and competence, specifically their attitude, motivation and overall proficiencies. The three external factors touch upon how the organisation communicates with the workforce, the capabilities provided to employees, and the influence that senior leaders have. The impact each factor has on the organisation as a whole, individual teams or specific roles can be carefully observed, criticised and enhanced through a series of initiatives. Security awareness will therefore only be one small component of a wider, more intricate behaviour change programme designed to target each factor in isolation or in tandem.

With this in mind, simply performing an arbitrary security awareness campaign to make the workforce ‘aware’ of security, the threats they may be exposed to and the risks associated with their job roles, will not be enough to change and sustain behaviour in the long-term. The industry needs to refocus their investments, targeting the most important internal and external factors that impact the behaviour and culture of their workforce.

Ultimately, the goal of a behaviour or culture change programme should be to reduce the number of security incidents related to behaviour and improve the accuracy of reporting; not a tick-box compliance-led campaign.

In the next blog we will be looking at step one of how a human-centred security programme can help reduce risk and improve information security.