Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity NewsRetail/Restaurants/Convenience

Tackling retail cybersecurity threats with human-centric behavioral change

By Mika Aalto
cybersecurity-training-fp1170vdhn.jpg

Image via Freepik

December 2, 2022

Digital adoption rocketed a decade in the months during the COVID-19 pandemic, accelerating the shift to digital commerce that began in the 2010s. According to recent research, the pandemic-driven boost to e-commerce is estimated to have exceeded $200 billion in 2020 and 2021.


As a result, the retail industry has become an even higher target for cybercrime. In 2021, ransomware attacks on retailers rose 75% as U.S. consumers spent a record-breaking $1.7 trillion online in the same year.


With wide repositories of customer data and Personal Identifiable Information (PII), a successful attack on a retailer yields a significant return for a cyber attacker. Guess, Neiman Marcus and CVS Health are among the global household brands targeted and exploited by malicious actors in recent times.  


As company boards and executives look to mitigate their risk of such attacks and thus begin advocating for increased spend on best-in-breed solutions, rich in automation and artificial intelligence, many fail to recognize that it’s people who still serve as the first line of defense. For retail organizations, in particular, phishing emails and social engineering continue to dominate as the most common delivery systems of attack. Given this, retailers and those in other industries could benefit from taking a more human-centric approach to address their security issues. 


Security Awareness and Training (SA&T) was the most common course of action an organization would implement when working to establish more robust human defense mechanisms. Awareness training can help reduce human error and promote cross-collaboration between security teams and other organizational departments. However, these legacy security awareness programs are no longer effective, as evidenced by the fact that the human element continues to feature heavily in most breaches. 


A recent Forrester Wave report explored the importance of “ABCs: Awareness, behavior, and culture” as a means to better protect against rising threats. To reduce human risk, it starts with instilling positive behavioral change among employees and ultimately altering their perceptions and attitude towards security and risk. This can be achieved in a number of ways.  

 

Timing is Everything  

On average retail workers receive nearly 50 malicious phishing emails each year. Many opportunities for an employee to mistakenly view an email as legitimate and enable an attacker to successfully penetrate into their network. With attackers increasing the frequency and scale of their email stimulations, so too should organizations. Infrequent, mass security and phishing tests, which are sent out simultaneously to all employees, fail to positively enhance security posture and change behaviors.


The problem — these don’t catch employees by surprise. They’re expected and employees react accordingly. Instead, organizations should opt to send frequent, unique types of stimulations on varying days and times. When employees get used to simulated attacks frequently, the issue stays top of mind. Repeating this over a period of time shapes new cybersecurity habits among employees. 

 

Gamified Success  

Gamified learning is another critical component of achieving high engagement, a critical aspect of achieving lasting behavioral changes. Incorporating gamification can transform employee mindsets and result in the detection and resolution of the most sophisticated attacks.


By stimulating vulnerabilities in controlled, gamified environments, organizations can put their employees’ skills to the test and practice reducing risks in real time. It puts users in the mind of real attackers and leads to a better understanding of how to detect the most malicious attacks. In practice, it also results in an increased volume of employees reporting suspicious activity to security teams, rather than simply deleting or ignoring it. 

 

Personalization and Variation  

It is crucial to prepare employees for every type of threat. From phishing to authority impersonation and invoicing scams —  the list continues to grow. Ensure that the training provided addresses both the role and skill level of each individual trainee. Personalization is key to achieving lasting cybersecurity behavioral changes. Begin to understand the most common threats and risks (both existing and future) applicable to each business area. For example, the HR function has different security challenges than sales. Putting this contextual information in play to create highly personalized programs for each person in each business segment.  


Adopt a micro-training model and create short, easy-to-digest content to achieve high impact. For behavioral change, brevity is your best friend. Think TikTok for security training. 


In addition, consider each employee’s skillset. Start small with easy tests, then gradually advance difficulty. The right amount of difficulty along each employee’s personalized learning path will keep them engaged and interested, which will challenge and activate them to think critically. 

 

Positive Reinforcements 

Even with incorporating all of the above, without positive reinforcement during training, an organization will fail to achieve desired results. When training is positive, employees become more eager to participate in developing their skills and reporting threats. Feedback and recognition are important factors within this.


When a trainee successfully detects a threat, have a system in place that provides recognition. Also, give personalized feedback. If an employee fails to eliminate a threat completely but shows a positive response throughout the process, acknowledge it.  


Achieving noticeable behavioral changes takes time, effort and dedication. Challenging the notion that people are the weakest link in organizations and adopting behavioral change platforms will create a strong human detection engine, one of the most impactful ways to lower organizational risk. 

KEYWORDS: cyber security phishing retail security risk management social engineering

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Mika Aalto is CEO and co-founder at Hoxhunt, a cybersecurity awareness company.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • risk management freepik

    3 steps to promote a human-centric security awareness culture

    See More
  • training program

    Behavioral psychology training reduces cybersecurity risks

    See More
  • people-business-freepik170x658v4.jpg

    3 reasons why cybersecurity must be people-centric

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing