Source: Mark Chaplin, Principal, ISF
27 Nov 2018

Psychology plays an increasing role in how organisations influence employee behaviour and develop a desired culture for success. A series of engagements with leading organisations around the world reflects the growing interest in influencing individuals’ decision-making when it comes to information risk. Governments, academia and industry are working closely together, to tackle cyber risk against a backdrop of increasingly high-profile data breaches, system compromises and information leaks.

With more initiatives focusing on the ‘human factor’ and the ‘human firewall‘, security professionals now acknowledge the role played by individuals in protecting their organisation’s information. Increasingly, the information security profession recognises that the ‘end user’ can no longer continue to be blamed for representing the main cause of data breaches. They are an essential protective measure.

One of the greatest issues that is emerging in many organisations, according to feedback from seasoned security professionals, is the lack of support from middle management. “Business leaders and end users now get it. It’s middle management who are not driving the message from the top!” is how some security professionals have expressed their number one security awareness challenge.

We have known for many years that individuals throughout an organisation, from business leaders to end users, require help in identifying, managing and prioritising information risk, while maintaining focus on their own business priorities.

Here is a selection of good practices, taken from leading organisations, government researchers and progressive thinkers in academia, which can be applied to help develop a more security-positive culture.

Set strong direction for changing behaviour and culture

  • Establish a continuous, organisation-wide information security awareness programme
  • Align the programme with other corporate communication plans
  • Establish and promote a network of information security awareness ambassadors or champions

Establish an effective approach to planning and delivery

  • Actively identify, target and engage with individuals in all parts of the organisation and organise different teams to perform security awareness tasks
  • Involve L&D specialists at each intervention opportunity throughout the complete employment lifecycle
  • Leverage different engagement exercises and communication channels, including helplines and drop-in sessions

Apply a combination of diverse techniques

  • Provide positive reinforcement and empower individuals with tools, knowledge and skills
  • Make awareness activities engaging by applying methods of gamification
  • Leverage approved initiatives provided outside the organisation

Develop rich content for different audiences

  • Cover all elements of risk in awareness content and ensure messages remain simple, diverse, brief, current and personal
  • Tailor communications for each audience, providing accurate, trusted and meaningful information about risks, including practical examples of positive and negative security behaviours
  • Encourage reporting and share results and implications of security assurance activities

Measure effectiveness and provide assurance

  • Identify, collect and analyse metrics associated with key information security awareness activities
  • Review metrics against findings from risk management, security assurance and incident management activities
  • Obtain independent reviews from reputable, proven specialists in behaviour and culture change
  • Report the results of awareness assurance activities (including outcomes) with business leaders on a regular basis

To learn more about effective security awareness and behaviour/culture change, consult the report From Promoting Awareness to Embedding Behaviours: Secure by choice, not by chance. For the full library of podcasts on the latest hot topics, visit our digital media centre.