News

Building A More Behavior-focused Security Awareness Program

Steve Durbin, ISF CEO
Published 16 - September - 2024
Read the full article on CDO Trends
cdo trendsgovernancepeople

According to certain analysts, companies have invested billions in initiatives to raise information security awareness. This approach aims to tackle the most significant security threat — human behavior — by modifying it through training programs and instruction on their roles in the event of a security incident.

Yet despite regular security awareness training, these activities have not fully succeeded because human error and acts of negligence continue to make employees gullible to social engineering ploys. The reality is that security awareness programs may fall short in certain areas:

  • They are not aligned with business risks.
  • They are not measured or valued appropriately.
  • They make incorrect assumptions about people and their motivations.
  • They set unrealistic expectations from users.

Going beyond conventional approaches: 7 recommendations

A simple knowledge transfer — making people aware of their information security responsibilities and how they should respond — is no longer enough. The success of information security programs must be evaluated on their reduction of risk rather than what people know (or don’t know). Here are recommendations on how organizations should approach their awareness programs:

 

1. Align security awareness around business risks

Security awareness programs should be driven by the need to reduce overall business risks. For compliance risks, organizations may have to demonstrate that all employees have received information security awareness training. For operational risks, organizations should focus on protecting critical assets and concentrate on areas with the most vulnerable exposure and individuals with the highest risk profiles. For strategic risks (such as loss of reputation), organizations may need a behavior change or intervention to engage employees in their security responsibilities.

2. Target behavior change, not awareness

It’s not to say that knowledge isn’t important, but it isn’t valuable unless it translates into positive behaviors. Part of this translation will be to provide users with the skills, assets and motivations they need to make the knowledge real. For instance, making policies, training and other materials easily accessible; distributing privacy screens, secure removable storage, and commercial-grade password managers at no cost; having leaders lead by example and citing security policies regularly; attaining a clear alignment between the intended behaviors that senior management are seeking and the systems and controls that are put in place.

3. Look into alternative methods

Communication and training are not always the answer. What looks like people resisting could be a lack of clarity; what looks like people being lazy could be a lack of motivation; what looks like a people problem might be a situation problem. It’s easy to blame people when things go wrong. The root cause of a problem behavior could be a complex system with a cumbersome process or a problem with the physical environment. Organizations that experience a tailgating problem might need physical barriers that prevent tailgating instead of asking people to verify each other’s badges. A preventative approach might also be an answer – designing systems and processes with people in mind and infusing security from the outset.

4. Set realistic timescales

Treat behavior change as a long-term exercise because setting a short-term target could lead to disappointment. Senior management will want to see results in shorter timescales. Start with a small group that can be monitored closely. Ideally, security awareness should be a multi-year project based on the benefits it could deliver in the short term and the long term. Benefits may include lowering the organization’s risk profile, reducing the cost and frequency of security incidents, and improving risk management reporting.

5. Empower people

By winning over hearts and minds, it becomes possible to influence behaviors and mindsets. When employees feel trusted, motivated, and empowered, they are inclined to show the desired behaviors and take accountability for their actions. This involves understanding their difficulties and offering the necessary tools and training at their preferred pace. When positive behaviors become ingrained in the organizational culture, information security becomes a fundamental aspect of established norms and practices.

Three Resources to help you kickstart your Security Culture

view all our news articles
Array
podcast

Security is Everyone's Problem

Daniel Norman and Steve Durbin discuss the need for security leaders to move away from scare-mongering and towards employee education

Listen Now on Security is Everyone's Problem
Array
research

Cyber Awareness:
Kickstart your security culture

Trusted insights in an easy-to-share format designed to accelerate CISOs and their team's ability to build a resilient security culture.

Download now on Cyber Awareness:
Kickstart your security culture
news
People

EXPERT OPINION: Stop Talking About Security Awareness - Let's encourage secure behaviour and culture instead

ISF Expert Richard Absalom explores why organisations need to move beyond awareness; sharing guidance on how to focus on security culture instead.

published 08 - October - 2024
Read More on EXPERT OPINION: Stop Talking About Security Awareness - Let's encourage secure behaviour and culture instead
Building A More Behavior-focused Security Awareness Program
Read the full article on CDO Trends