Human error contributes to almost 95% of security breaches. Most security approaches still fail at making a desired impact. Let’s analyze the two main reasons why businesses fail to develop a robust, human-centric security approach.
- Security awareness alone cannot influence positive security behavior
London-based security association The ISF determined that 92% of enterprises run some form of security awareness campaign, but only one-third commit budget to a behavior or culture change program. It appears that businesses are either too focused on satisfying compliance mandates or are not engaged enough in a sustained effort for making behavioral changes.
- Change management and sustaining positive behavior are complex challenges
Security behavior is influenced by a number of internal and external factors and is an incredibly complex challenge. Internal factors involve attributes like psychology, cultural attitudes, motivation and competence. Do employees know and understand the types of risks they are exposed to? Do they understand the security measures the business is taking? Do they understand the consequences of their actions to the business?
External factors relate to attributes like organizational communication (how a business communicates to its workforce), capabilities (tools and resources provided to employees) and the influence (or culture) of senior leaders in setting an example to the workforce. Shortcomings in either internal or external factors can derail change management efforts.
Key steps in developing a human-centric security awareness program
A human-centric security program can be executed in different ways and no two programs are alike. That said, steps outlined below can help any organization—regardless of its size, budget or approach— implement a robust security awareness foundation:
Step1: Establish a behavioral baseline
Organizations frequently embark on security awareness programs without first assessing their current status. Establishing a baseline upfront helps the business identify strong and weak spots and to determine where the program is heading. Businesses should gain insight on where they’re now in terms of security behavior, the risk profile of each role and department, and what the business is currently doing to influence change.
Collecting evidence of security behavior from both qualitative and quantitative sources of information might be a good place to start. Historical datasets, risk assessment results and user behavior analytics are some examples of quantitative sources that businesses can use to evaluate their current security posture. Focus groups and behavioral response tests are examples of qualitative sources that organizations can use to measure status or current ability.
Step 2: Implement security initiatives
Once a baseline is drawn and an action plan is established you can now proceed towards implementing your security initiative. It’s vital for businesses to take culture and psychology into consideration because people have an innate desire to feel valued and act authentically without fear of reprisal. Findings from a PwC study showed that a majority of employees fear retribution if they raise a security concern. A culture of blame, shame or punishment will ostracize employees, make them less likely to report incidents, and inadvertently push them towards acting negligently.
Ensure communication is tailored to your particular audience. Employees are not homogenous; someone from sales may not experience the exact same threat level as a senior executive. Instead of running a blanket message, communication should be tailored to employee roles so that it resonates and improves engagement. Focusing on high-risk user groups first will improve security effectiveness.
Emotional engagement is another important aspect of training. Gamification, contests and other forms of simulation exercises can be extremely effective versus something that is dull, boring or mundane. People are receptive to regional narratives with such stories being more likely to be remembered. Content should be served up in smaller digestible doses, on a frequent basis, so that it doesn’t overwhelm training efforts while helping to develop muscle memory to recognize potential threats.
Step 3: Secure behavior by design
Individuals may experience a number of security threats throughout the day, but the tools and the systems available to them are not always designed in a way that allows them to effectively manage this threat or report it. By the time the actual employee realizes they’ve made an error or information has been compromised, it might be too late. Because current security measures aren’t connecting with people, adopting a cybersecurity-savvy culture means improving internal awareness and engagement needs so that employees are aware of policies, tools and procedures and efforts made by the business.
Secure behavior by design is an approach for developing systems, applications, processes and physical environments in a manner that guides and shapes positive security behaviors without acting as a deterrent to productivity. A good example of this can be something as simple as reporting a phishing email. An insecure design would mean that an employee would have to check the company policy to find the right contact to report the phishing incident. Instead, a secure by design system would consist of a phishing report button an employee could use to report a suspicious email to the security team. People often tend to mimic a wider group, so if we can design policies that enable individuals to proactively act securely, and if leadership is setting the right example, chances are other people will follow suit until eventually the entire office will manifest a security mindset over time.
To summarize, businesses that aim to champion security awareness and education should:
- Have a deeper understanding of the types of risks each individual would experience.
- Implement a program that accounts for psychology, culture and emotional engagement.
- Invest in progressive policies that help influence positive security behavior.
