3 Realities of Building a Security Awareness Training Program
Security awareness training is a critical aspect of cybersecurity strategy because between 82% and 95% of security incidents can be attributed to human-related causes rather than a failure of cybersecurity technology. But the reality is that organizations often resort to a check-the-box approach where they assume they have “done security awareness”—they’ve provided the right information, given people the facts they think they need to know and conveyed their expectations. Unfortunately, truth is stranger than fiction. Below are three realities of security training that organizations should be prepared for:
1. Just Because They’re Aware Doesn’t Mean They Care
How many of us drive past speed limit signs and barely register it as a suggestion? We typically don’t see it as a binary decision but as a risk-based calculus. We look at that speed limit sign and say, “Do I really want to follow that based on my schedule, based on road conditions, based on what’s going on in my car, based on my other priorities of the day?” We build an internal and personal risk calculus and say, “Do I follow it or not?” The same thing is true with cybersecurity. When faced with a security decision, employees do the same thing in their minds. They’re taking security training under advisement (if they remember it at all) and are saying, “What are my priorities? Is it convenient or not? Does this slow me down? Does this further my objectives?” The problem is that security teams expect people to process information and behave differently than they do themselves. At the end of the day, we’re all human and culpable of the same type of mindset.
2. If We Work Against Human Nature, We Will Fail
One of the fundamental things organizations must do when developing a security program is to embrace that we are all dealing with human nature. If there’s a gap between the expectations we have of employees following cybersecurity policies and the realities of employee behavior, then it’s probably because the policy is not expecting people to be human. Instead, it’s expecting them to be robots that ingest information and react accordingly. Organizations expect everyone to have the same level of security competency, maturity and responsibility, which is rarely the case. The bottom line is organizations need to set realistic expectations, account for human behavior and find ways to work with human nature rather than against it.
3. What Employees Do is Way More Important Than What They Know
You must account for the knowledge-intention-behavior gap. Just because I’m aware doesn’t mean that I care. Think about New Year’s resolutions; we make that list and say, ‘I’m going to lose weight,’ ‘I’m going to save more money,’ or spend more time with family, etc. We commit to these things mindfully and we know the benefits; however, a vast majority of people don’t follow through because an overriding behavior pattern takes control and we don’t have those habits ingrained. Similarly, in cybersecurity, we can throw tons of policies at employees but just because they receive this information doesn’t mean they’ll behave a certain way.
How Can Organizations Build Better Security Awareness Training Programs?
There’s a well-known training model called “the four stages of learning.” When somebody lacks security awareness, they’re called “unconsciously incompetent”—they don’t know much about security and they just behave accordingly. Stage two is “conscious incompetence,” which is when they realize they have some knowledge but not enough to make sound security decisions. Stage three is “conscious competence,” which is when employees understand security and make a conscious effort to execute the new skill. The fourth and final stage is “unconscious competence” which is reflex-like behavior where people unconsciously make the right security decisions—this is the ultimate goal for any security awareness program. From a best practices perspective, below are five items that can make security training more effective:
1. Content: Content is one of the most important items because it’s the information that’s delivered to employees. Just like Netflix, different types of content in different styles with a host of different flavors will resonate with different pockets of employees.
2. Repetition: Like marketing or branding, if one wants to influence behavior, they have to constantly get in front of people. Advertisements don’t work by running once a year because that’s ineffective. One has to promote security regularly so that people understand its context in their own lives and eventually it will influence their everyday behavior and decision-making.
3. Testing: Organizations should put people in situations where they have to make a decision related to a hack or breach. Things like phishing simulations where your employees are prompted to either click a link, “report that phish” or do nothing, can help build muscle memory in employees.
4. Metrics: If something is worth doing, it’s something worth measuring. If need be, we can refine it so that we know exactly what we’re doing well and the areas that need improvement. Metrics are critical to maintaining executive support and understanding what things need to be changed or done differently.
5. Culture: While some corporate training is formal, most of it is experiential, which is the social or cultural component of security. It’s the sharing of information and experiences that happen when we ask our neighbor for something or we look over their shoulder and see how they’re solving a problem. It’s also the gentle peer pressure and peer influence we experience every day in different contexts of life. Organizations should not ignore this aspect of security.
Accepting the three realities of security awareness is the first step. Next, take time to understand your culture, invest in good content, deliver it at a level and pace people can digest, repeat messages over time, supplement them with frequent, real-world phishing simulations and monitor and tweak your program regularly. Doing so will help build resilience in your organization.
