EXPERT OPINION: Stop Talking About Security Awareness – Let’s encourage secure behaviour and culture instead

October is Cybersecurity Awareness Month. I wish we’d call it something else.

The problem is that word: awareness. We’ve been kicking it around for decades. But people are increasingly aware of cyber as big security incidents continue to hit the mainstream news. When that incident affects you, no matter who you are or how much you understand about tech, it ruins your day (or week, or month).

Security awareness programmes have been running for decades, but how effective are they? Do they actually change people’s behaviour? I, like many I’ve spoken to, am not convinced they have always been successful. People are still the primary target for the bad guys, the primary avenue to exploit when launching a cyber attack. Awareness programmes haven’t changed that or reduced our susceptibility to an acceptable level. As an industry, we’ve got to stop talking about awareness and think about how we foster a secure culture instead.

Humans: we are our organisations’ greatest strength, but we come with risk

No business can survive without humans yet – although AI may have something to say about that in the coming years. In the meantime, we remain impossible to live with or without. For any business, we – the employees, contractors etc. – generate most of the value and a large part of the risk. Purely in cyber terms, that risk is evident. Verizon’s 2024 Data Breach Investigations Report found that 68% of all data breaches in 2023 involved a ‘human element’ – and that does not even include malicious insider attacks.1 This is a trend that shows no signs of slowing: various studies over the years consistently show that the human factor is the greatest element behind cyber incidents.

The way that we humans tend to act is often counterintuitive, with no better example than our curious relationship between awareness and behaviour. Logic would suggest that being aware of an issue would encourage us to change behaviour in order to address it; however, in every area of life, awareness campaigns have been shown to be ineffective in changing behaviour. I’m not saying anything particularly new here, as the excellent article, Stop Raising Awareness Already demonstrates.2 It was written in 2017 and rings as true as ever. It discusses how to create awareness that leads to action – which is what we need to achieve when it comes to security education, training and awareness (SETA) programmes.

Changing culture at the organisation and individual level

There is some truth to the IT practitioner in-joke that “problem exists between keyboard and chair” – but a security culture that blames users does not benefit anyone in the long run. We need to create a culture where people are not only aware of cyber threats but also act in a way that demonstrates that awareness. A good security culture doesn’t mean a working environment where people are expected to behave perfectly regarding security all the time. Instead, it should be a place where people are not fearful of making mistakes. We all make mistakes, there is always the chance that anyone can click on the wrong link – especially given the sophistication of some phishing, spear phishing and whaling campaigns, now being powered by generative AI. Feeling able to act and report quickly when you think something is wrong, without any form of retribution, is the kind of culture we should be aiming for. Ultimately, that will help to both prevent incidents, and respond accurately and quickly when they happen.

Of course, this is all easier said than done. Security teams face challenges getting their message across at every level of the organisation, so the first step – as with any programme of this sort – is earning full buy-in from the top. The culture at any organisation is set at the board and C-suite level, and the hallmark of successful change programmes everywhere is having champions and consistent messaging at that level.

Put together, all of the actions recommended below should help to positively influence security behaviour. They help to:

• understand the key factors that influence employees’ security choices
• deliver impactful security education, training and awareness
• design systems, applications, processes and the physical environment to account for user

Implement a programme for change throughout the organisation

Cultural and behavioural change is unlikely to take root by simply working at an individual level: there needs to be a programme of change throughout the organisation. In practice, this means segmenting user groups by risk and developing tailored programmes for them. For those representing the greatest risk, this could involve delivering targeted activities at key moments: for example, an instant reminder if they click on a link during a phishing test, or a pre-planned briefing in the event of an incident or near-miss – either in the organisation or something that’s been on the news – about how it could have been avoided or responded to.

Develop a human-centred security culture

A human-centred security culture is based around human values and ways of working: it should not expect prior knowledge of IT or security, and it should offer consistent – and persistent – messaging and support. A single awareness campaign, or the requirement to complete an annual tick-box training exercise, does not create a secure culture. Employees should be given regular updates on threats, access to cyber exercises that bring the potential consequences to life, and encouragement to think critically about what they could practically do to prevent or respond to a cyber incident.

Design a human-centred approach to security

A human-centred approach to security understands users’ interactions with technology, controls and data, and invests accordingly. One of the key reasons that security awareness campaigns are ignored or ineffective is that security processes and controls are viewed as an inconvenience that gets in the way of daily working life. Controls need to be as simple, easy to use and unobtrusive as possible. Policies should be easily understood, straightforward and enforceable.

Create a human-centred working environment

A human-centred working environment has many benefits, enabling people to focus on the important things they need to do without distractions, discomfort or worries. From a security perspective, reducing distractions and offering a calm environment to think clearly helps to reduce the potential for people to make – or feel pressured into making – mistakes. Creating such an environment may involve re-evaluating and changing the structure of the working day, or offering a balance between office-based and home-based work – something that has become prevalent since the COVID-19 pandemic. It may also mean reviewing and improving workspaces, for example by giving people more space, reducing clutter, or giving teams easier access to work with each other.

Understand and address psychological vulnerabilities

At an individual level, behavioural change comes from understanding and addressing the psychological vulnerabilities that we all have. These are cognitive biases that can lead to errors in decision making, and which attackers seek to exploit. Security teams should identify methods and techniques used by attackers to exploit psychological vulnerabilities, and communicate how to address them. This comes down to empowering individuals to think critically, as mentioned above. For example, we know that attackers commonly introduce some form of pressure – usually saying something is time-critical – to coerce people into clicking a malicious link or sending money to an unusual account. Getting people to stop, think and question such requests is key. A good security culture is one where employees feel comfortable questioning requests from superiors, even if it they turn out to be genuine.

Measure and evaluate behaviour change

Ultimately, to demonstrate to business leaders that building a secure culture is worth the investment, security teams will need to prove that behavioural change is happening – and is effective at reducing information risk. They will need to develop key indicators and metrics to measure behaviour change and demonstrate return on investment. No doubt, this remains a challenge. It is not simply a case of improving the results from phishing tests over time. Every organisation is different and will have to find measurements that make sense to them, but here are a few ideas:

• Survey changing perceptions of security / the security team over time
• Track demand to take part in cyber security exercises
• Measure the number of incidents that involve some form of human error or manipulation over time and correlate to the number of training and activities provided
• Track the frequency of security concerns raised directly (e.g. via the helpdesk) and indirectly (e.g. via whistleblowing) by employees.

Measuring behaviour change is something that ISF Members have told me is particularly challenging. So, if you have any ideas or examples of techniques that have worked for you, we’d all love to hear them: nailing this challenge is in the interest of organisations everywhere.

Further reading

The ISF Security culture and human factors suite of research, featured in our Cyber Month pack provides a far more in-depth view of all the issues discussed here, and more. It includes four papers:

• From Promoting Awareness to Embedding Behaviours: Secure by choice, not by chance
• Human-centred security: Addressing psychological vulnerabilities
• Human-centred security: Positively influencing security behaviour
• Engaging with the Board: Balancing cyber risk and reward

References

1 ‘2024 Data Breach Investigations Report’, Verizon

2 Christiano, A. and Neimand, A., ‘Stop Raising Awareness Already’, Stanford Social Innovation Review, Spring 2017