Speaking at The European Information Security Summit in central London, Professor Angela Sasse, professor of human-centred technology and director, UK Research Institute in Science of Cyber Security at UCL, discussed the changes companies need to make to get cybersecurity awareness training to resonate better with their employees.
In her session ‘HOW TO: Design a training programme that works with the way people naturally behave’, Sasse said that there is “something that’s a bit rotten at the core” of security awareness, and it’s the assumption that “people are at fault” for security problems.
“The temptation is there that in the mind of a technology person making changes to technology is immediately expensive, and then say ‘surely doing a bit of training is cheap in comparison’ – but it’s not if you’re not really getting any changes or results,” Sasse explained.
There is a need to clean up security awareness training, she added, but it cannot be done in a haphazard way.
“In most organizations today, awareness training is just background noise. This stuff is being pushed at people but its going passed them and they are not engaging with it and not changing as a result.”
A key part of Sasse’s message was that changing security behavior requires a big effort; there’s a process you need to guide users through until their behavior becomes natural to them, and the most important element of that is engagement.
“If you want to change people’s behavior the first thing we need to do is stop this one-way communication where we blast things at people and engage – and I mean really engage. You need to really work with your people and embark on having ongoing conversations with them about what the threats are out there.
“We will change people mostly by getting them to engage with one another. In discourse within organizations, security often doesn’t feature at all, and if it does it’s often in a negative way and people are complaining about it. That’s what we want to change – we want people to talk about security, discuss the risks, but help each other out. The more people talk about security to each other, the better things will become.”
To conclude, Sassse highlighted four important steps organizations need to take to make these changes and improve their security awareness training for the better:
1. Security hygiene: make it easy for people to do the right thing
2. Authoritative, trustworthy instructions: single source, unified terminology
3. Target: who needs to change what
4. Engagement: socialising security events, games, etc