Conventional security awareness training fails to bring lasting changes to user behavior, according to experts in the field. Instead, organizations need to create a security culture by incorporating lessons from recent research into human behavior.
Speaking at Infosecurity Europe 2023, Charlie Sinclair, cyber security senior awareness and engagement manager at Unilever, and Tim Ward, CEO and co-founder at ThinkCyber explained how techniques such as Nudge Theory are a better tool for changing workplace behavior than conventional e-learning programs.
Employees are far more likely to respond to programs that are timely or incentivize them to avoid risky behavior than those that seem to punish people for their mistakes.
For “nudge” to work, change programs need to be easy, attractive, social and timely, said Ward. Tools such as anti-phishing messages or security alerts should be in the moment.
Messaging can become bolder and more prominent as behavior becomes more risky, for example, if an employee moves from clicking on a suspicious link to entering sensitive details on a form. It should also be easy for staff to report suspicious emails and to admit they have made mistakes.
“We are not just delivering content, we are changing behavior,” Ward said. “Annual security awareness [training] is not timely, but reporting buttons or banners can be effective.” Even something as simple as changing color palettes every three to six months can keep messaging fresh.
According to Ward, as many as 80% of security issues can come from just 10% of users. These are, Sinclair pointed out, often the users who are “disconnected” from security issues in their workplace. “These are the ones who make a mistake and don’t tell you about it,” she said. “They won’t listen, even if you train them.”
This group needs a more tailored approach to security awareness, she argues. Blanketing all employees with the same messaging or phishing tests rarely works.
“Security culture is not traditional e-learning. You need to focus on the psychology and how it works,” Sinclair said. “You have to accept that humans bring risk and understand how to tackle that risk.”
Security programs should be based on an understanding of risk; if organizations can quantify risk, that is more likely to gain, and keep, colleagues’ attention. A social element – such as sharing that a department had successfully blocked a certain number of phishing attempts – will also help.
Security departments should also consider using multiple channels, such as email and Microsoft Teams, to communicate; the best way to alert someone to a security risk is when they are using that application. “The message needs to be timely and relevant,” said Ward.