Building a More Behavior-focused Security Awareness Program
- By Steve Durbin, Information Security Forum
- September 16, 2024
According to certain analysts, companies have invested billions in initiatives to raise information security awareness. This approach aims to tackle the most significant security threat — human behavior — by modifying it through training programs and instruction on their roles in the event of a security incident.
Yet despite regular security awareness training, these activities have not fully succeeded because human error and acts of negligence continue to make employees gullible to social engineering ploys. The reality is that security awareness programs may fall short in certain areas:
- They are not aligned with business risks.
- They are not measured or valued appropriately.
- They make incorrect assumptions about people and their motivations.
- They set unrealistic expectations from users.
Going beyond conventional approaches: 7 recommendations
A simple knowledge transfer — making people aware of their information security responsibilities and how they should respond — is no longer enough. The success of information security programs must be evaluated on their reduction of risk rather than what people know (or don’t know). Here are recommendations on how organizations should approach their awareness programs:
- Align security awareness around business risks
Security awareness programs should be driven by the need to reduce overall business risks. For compliance risks, organizations may have to demonstrate that all employees have received information security awareness training. For operational risks, organizations should focus on protecting critical assets and concentrate on areas with the most vulnerable exposure and individuals with the highest risk profiles. For strategic risks (such as loss of reputation), organizations may need a behavior change or intervention to engage employees in their security responsibilities.
- Target behavior change, not awareness
It’s not to say that knowledge isn’t important, but it isn’t valuable unless it translates into positive behaviors. Part of this translation will be to provide users with the skills, assets and motivations they need to make the knowledge real. For instance, making policies, training and other materials easily accessible; distributing privacy screens, secure removable storage, and commercial-grade password managers at no cost; having leaders lead by example and citing security policies regularly; attaining a clear alignment between the intended behaviors that senior management are seeking and the systems and controls that are put in place.
- Look into alternative methods
Communication and training are not always the answer. What looks like people resisting could be a lack of clarity; what looks like people being lazy could be a lack of motivation; what looks like a people problem might be a situation problem. It’s easy to blame people when things go wrong. The root cause of a problem behavior could be a complex system with a cumbersome process or a problem with the physical environment. Organizations that experience a tailgating problem might need physical barriers that prevent tailgating instead of asking people to verify each other’s badges. A preventative approach might also be an answer – designing systems and processes with people in mind and infusing security from the outset.
- Set realistic timescales
Treat behavior change as a long-term exercise because setting a short-term target could lead to disappointment. Senior management will want to see results in shorter timescales. Start with a small group that can be monitored closely. Ideally, security awareness should be a multi-year project based on the benefits it could deliver in the short term and the long term. Benefits may include lowering the organization’s risk profile, reducing the cost and frequency of security incidents, and improving risk management reporting.
- Empower people
By winning over hearts and minds, it becomes possible to influence behaviors and mindsets. When employees feel trusted, motivated, and empowered, they are inclined to show the desired behaviors and take accountability for their actions. This involves understanding their difficulties and offering the necessary tools and training at their preferred pace. When positive behaviors become ingrained in the organizational culture, information security becomes a fundamental aspect of established norms and practices.
- Move from tell to sell
People are busy; they have many conflicting priorities. Moving from ‘tell’ to ‘sell’ aims to connect personally, logically and emotionally with people. This can include several factors such as developing a strong security identity, deploying innovative solutions that make training activities distinctive and memorable, treating people as individuals and not applying a one-size-fits-all solution, tailoring programs according to skills and audiences, and implementing tools and processes that are simpler and more integrated.
- Hold people accountable
Employers need to explain their security expectations clearly. Positive security behaviors should be identified and recognized through performance reviews, while unacceptable behaviors should be held accountable. All communications and training should stress that security is a key business asset and that deliberate non-conformance will be addressed constructively at an individual level.
As stakeholders (and regulators) continually push for stronger cybersecurity governance, the need to shift from awareness to tangible behaviors becomes urgent. Encouraging positive security behaviors among employees will surely help security teams build a stronger security posture and inspire confidence in everyone.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Дмитрий Ларичев
Steve Durbin, Information Security Forum
Steve Durbin is chief executive of the Information Security Forum, an independent association dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000.