6.27.23 – SIW – Perry Carpenter
Companies need to focus on changing behavior, not just increasing knowledge
Cybersecurity is an issue of great concern to companies of all types and sizes. And, because it is, many companies conduct some form of security awareness training to educate employees about inherent risks and how they can help minimize those risks.
But security awareness training is not enough to protect organizations from cyberattacks. Companies need to focus on changing behavior, not just increasing knowledge. People—employees—are the weakest link and that’s where organizations need to start.
People Are a Critical Layer
Your employees form a critical fabric, or layer, of the security stack and they need to be treated as a layer—one element of a multi-faceted, or defense-in-depth effort to thwart malign actors.
They are, though, vulnerable. And they will make mistakes. All of us are, in the end, “only human.” And being human means that there are times when an employee will click on a link they shouldn’t click on.
Does this mean that cybersecurity training efforts have failed—that training doesn’t work? No.
Training increases cyber resilience. That doesn’t mean one hundred percent protection. Training is an ongoing process because there will always be risks and there will always be vulnerabilities.
Your employees are a layer—a very critical layer. But to improve cybersecurity we need to approach everything from a much more critical level than we have traditionally.
The Myth of Annual Training Effectiveness
First, we need to make sure that we’re making our security training relevant. That starts with accepting the fact that an annual approach to training just doesn’t cut it. Annual training does little for knowledge transfer or behavior.
We know that when we do annual training, within just an hour we see a precipitous drop in recall. We’re always grappling with the fact that when we tell people things, they either might not care, or it just drips out of their heads. The more time that passes, the less they retain, because other inputs come in that, are more immediate and more relevant.
The other issue with annual training is that after it’s done, some people will leave the company and new hires will join the company but miss the training. What’s your organization’s turnover rate?
The only way we can get knowledge to stick is through repetition, or by training at a time when the information is most relevant to them. We need to ensure frequent exposure to knowledge and frequent building of important habits.
We know that knowledge alone never stops security breaches. Effectively addressing issues of cybersecurity requires a focus on behaviors and culture–social reinforcements along with all the different pieces of technology that can start to build the resilience required to move the bar in the right direction.
The goal is the reduction of risk. The way we do that is by winning hearts and minds and influencing behavior. This involves three critical components of a well-rounded program:
- Outreach. This involves a lot of the traditional tactics we think about—talking to people through videos, newsletters, posters, etc.
- Training and simulations. Not once a year, but throughout the year—interactive training and testing via phishing simulations, social engineering simulations, in-person classes—the kind of things employees are likely to engage in and interact with. The key here is that “training and simulations” is participatory rather than passive.
- Human detection and response (HDR). This is one of the most exciting areas in a modern security awareness program. It’s where a lot of interesting tools and technologies like AI and machine learning can come into play. Think of it as real-time, context-aware, just-in-time coaching based on the information people need or the actions they are taking at any given time. Kind of like each employee has their own security coach right there to help guide them into better decisions and actions.
These components all require content, experiences, and relationships. What are you telling users? How are you interacting with them? The experience that we bring is key. Ultimately, of course, we need to be focused on building relationships. Those relationships are critical because they help employees become part of the solution, rather than part of the problem.
When an employee clicks a link, they shouldn’t have clicked, we don’t want them to hide it. We want them to report it so that they can become part of the solution. But they won’t do that if they don’t have respect or strong relationships with the cybersecurity team. They won’t do that if you make them feel like you’re laughing at them if they click on something they shouldn’t have, or you’re condemning them, or looking for excuses to discipline them.
Relationships are foundational to a strong culture of cybersecurity. We must think about everything we do through that relational lens. Your employees need to realize and feel that you respect them and that you’re treating them as adults. That you’re not patronizing them. That you don’t think they are the problem, but a critical layer that you are trying to build resilience for their good and the good of the organization.
There’s a great saying that really gets at the heart of this: “Respect is like air. You don’t really notice it until it’s no longer there, and then that’s all you notice.” When we respect others, we are acknowledging their worth and value as human beings. We are showing them that we care about their feelings and opinions. When respect is absent, it can lead to conflict, misunderstanding, and even violence. Respect is a two-way street. We cannot expect others to respect us if we do not respect them first. We all have the power to treat each other with kindness, compassion, and understanding. And our security awareness, behavior, and cultural efforts should do just that.
About the Author: Perry Carpenter is co-author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] His second Wiley book publication on the subject. He is the chief evangelist and security officer for KnowBe4.
Email: perryc@knowbe4.com
Twitter: @PerryCarpenter