At Infosecurity Europe 2018, Dr Jessica Barker, co-founder of Redacted Firm, discussed practical ways to build security awareness programs that can drive better user behaviors.
The first step is assessing “what your organization looks like on paper, and knowing about your organization in terms of the sector, the size, the geography – what are the most important information assets, which are the biggest threats and what would be the most damaging thing that could happen to the organization.”
Once you have that understanding of the baseline characteristics of the organization on paper, you can move onto “understanding them in real life,” Dr Barker said, and the key thing that must be done here is speaking to people within the organization “to find out what is actually happening, because as we know, what is happening day-to-day among the employees of an organization will be a very different picture to what you see on paper.”
Dr Barker added that a good level of security awareness does not always equate to good security understanding and changes in behavior, “so when we talk about awareness we need to think about what the outcome is that we want – we don’t want people to be aware just for the sake of it, we want to see changed behaviors.”
Her advice for doing that is to “work backwards” to create a culture in which people are engaged through experiences of what good security behavior is, and making “cybersecurity personal is one of the best ways to get through to people.
“If you really want to change behaviors,” she concluded, “you need to think about intrinsic motivation and what you can do that is really going to tap into their [users’] internal rewards system.”