The rationale behind this approach was to take their biggest asset – people – and change their behaviors, thus reducing risk by providing them with knowledge of their responsibilities and what they need to do. However, thanks to escalating complexity in the threat landscape, that approach is no longer enough.
The Information Security Forum (ISF) has released a report, “From Promoting Awareness to Embedding Behaviors,” which proposes that instead of simply making people aware of their information security responsibilities and how they should respond, the answer is to embed positive information security behaviors that will result in “stop and think” behavior becoming a habit and part of an organization’s information security culture.
The success of behavior change for information security should be measured through a reduction in risk, rather than what people know, or fail to know, and can choose to ignore.
“While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk,” said Steve Durbin, global vice president at ISF, in a statement. “The time is right and the opportunity to shift away from awareness to tangible behaviors has never been greater.”
As the ISF pointed out in its report, organizations have continued to heavily invest in “developing human capital.” No CEO’s speech or annual report would be complete without stating its value. The implicit idea is that awareness and training always deliver some kind of value with no need to prove it – employee satisfaction was considered enough. But now, they more often demand return on investment forecasts for the projects they have to choose between, and awareness and training are no exception: evaluating and demonstrating their value is becoming a business imperative.
“The C-suite has become more cyber-savvy, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management,” Durbin said. “Moving to behavior change will provide the CISO with the ammunition needed to provide positive answers to questions that are likely to be posed by the CEO and other members of the senior management team.”
So how does an organization get there? For one, the ISF postulates that there are four requirements for future success: develop a risk-driven program; target behavior change; set realistic expectations; and engage people on a personal level.
And from there, it depends on the company. The ISF does lay out a general approach for linking key actions to a set of principles. For instance, to reduce risk, organizations should ensure each solution has a direct link to business requirements and addresses one or more risks; and companies should form a strong baseline and measurement criteria based on risk as a starting point.
Also, empower people. “Win hearts and minds through trust, motivation and empowerment,” the ISF recommends. “Position people to make information security a critical element of ‘how things are done around here.’”
“Unfortunately, there is no single process or method for introducing information security behavior change, as organizations vary so widely in their demographics, previous experiences and achievements and goals,” explained Durbin.