The awareness challenges faced by modern organizations are similar to humanity's job of saving our own planet: a seemingly enormous and impossible task which requires the support of nearly every individual and will get done on a shoestring budget.
There’s no silver bullet, or a one-size-fits-all solution. In reading the news, it’s clear saving the planet needs advancing policy, technology, attitudes and behaviors, and maybe with some crossing of fingers. Security awareness is no different.
I’m not writing a doomsday piece. On the contrary, I have a profound optimism for humanity and our ability to resolve problems. For now, I’m going to leave policy to the policy makers, technology to the technologists, and instead focus on our attitudes and behaviors, and why behavioral insight can aid security awareness activities.
Thirty years of research exists on how to get us to recycle more or remember to shop with reusable bags. We have the same research and insight to lean on with security awareness
Focus less on achievements, more on behaviors
Since childhood, we’re programmed to focus on achievements. That said, certified security awareness and training (SA&T) rollouts rarely get a “Thank you,” despite carefully selected, robust content, with sophisticated learning pathways. Few SA&T solutions offer deep insight, and most upward reporting KPIs look like a mixture of completion metrics and real incidents.
What I see and hear more are security teams talking about behaviors rather than mandatory training and achievements. By measuring for consistent positive security behavior companies can have a direct and measurable reduction in risk. We shift from “Why did the person click that phishing attack?” to “Most workers haven’t used the report tool in a while, here’s what to do.”
The UK’s National Cyber Security Centre (NCSC) has compiled a list of recommended behaviors which an increasing number of organizations have adopted. This represents a lightbulb moment for the industry, by focusing on behavioral insight and behavior change, there’s lighter training overhead, people are more satisfied, and security teams get to illuminate boardrooms with influential data.
Tap the insight sitting within the organization
Companies don’t need to rush out to buy new infrastructure. When I talk to most people about behavioral insight software, they imagine agents and think of “spying.” It’s nothing like that. There’s a gold mine of behavioral insight sitting within an organization’s existing systems: from productivity tools, identity providers (IdP), and security tools. There’s an emerging category of behavioral risk software which makes it easier to measure, show insight, and automate promising interventions.
How to change behavior
Start with the “Security behavior database.” It’s our community driven taxonomy of behaviors that are associated to risk-related outcomes. Choose the risks and behaviors which are a priority, and start with just a few to observe and monitor. Let’s take the behavior “Using Single Sign On.” The IDP will have a record for each time a user logs into a service using SSO. That’s one less password in the world, and that’s good for everyone. Related risk outcome: account compromise will be reduced, something CISOs and boards increasingly want to see. Now the security team will have insight, it can think about behavior change. Use the data to be targeted and specific. A new mission emerges: drive and monitor adoption of SSO, and not rely on mandatory training to mention this in passing.
Something security teams can do today
Based on the insight we’ve collected from hundreds of thousands of people, from organizations across the globe, we know one in four people in organizations today are likely to have unsafe password behavior. This significantly increases the risk of account compromise.
Security teams can start by promoting a password manager. The benefits of a secure password manager are understood, but organizations suffer low adoption. From a behavioral psychology perspective, an organization improving this behavior will experience significant “spillover.” Think of spillover as when improving a behavior has a positive change on others. This includes stronger passphrases and not using personal details in passwords.
Studies show we’re more likely to recycle an item if we personally identify with the object. We’re now looking to see how behavioral research will have a huge impact on security awareness. Behavior change messaging could consist of CEO at a town hall meeting, or a playful message in Slack. It doesn’t matter a huge amount. When the company measures, it will experiment and adjust. The role has changed. Become a behavior change advocate and a technology evangelist. Go get it!
Jonathan Webster, chief technology officer, CybSafe