The Expert View: Security awareness and training: finding a new approach to delivery and measurement

Research shows that most cyber-security incidents are the result of human behaviour, and organisations have spent decades trying to tackle that with training, said James Beary, Sales Director of Cybsafe, introducing a TEISS breakfast briefing at London’s Goring Hotel. But despite all the training, the problems continue, Beary added.

 

Cyber-security awareness efforts add to the avalanche of workplace training and communications. To navigate this and still get their work done, staff often approach training as a box-ticking exercise to be completed as soon as possible, so that they can get on with what they see as their real work.

 

Making training better

 

That doesn’t mean training is wasted. Most people are not technology experts. They need to know how to minimise the risk from threats faced by every modern organisation. The challenge is to deliver that information in as engaging a way as possible – and use it to drive behavioural change.

 

Attendees at the briefing – senior security professionals from a range of sectors – recounted efforts to make training more effective, from creating shorter, snappier sessions to building physical escape rooms.

 

Many said regulators should do more. Often, said one attendee, it seems like regulators are only concerned with whether training has been completed and aren’t interested in whether it actually works.

 

Behaviour trumps training

 

Some attendees pointed out a more serious problem: colleagues know what they should be doing and still don’t do it. They often have good reasons. Attendees gave examples of retail systems forcing logouts after seven minutes of inactivity, and doctors logging into multiple systems up to 40 times a day. It’s little wonder they take shortcuts.

 

In that sense, IT is partly to blame. It’s often seen as the “department of no”, attendees said, and has tended to guard its expertise. Progress could be made by rethinking IT systems to make it easier for colleagues to follow good security practice and putting friction around the behaviour organisations want to discourage.

 

To understand where those areas are, security professionals must be less prescriptive and more willing to work with individuals to identify pain points, attendees agreed. Once you know why they aren’t following their training, you can decide what to change.

 

Instilling good behaviour

 

Beary noted that the most enlightened organisations are beginning to narrow their focus by prioritising key security behaviours, which have the greatest impact on risk.

 

Attendees use both carrot and stick methods to encourage good security practice. Some offer simple rewards for those who do the right thing, such as chocolates or a word of thanks on the intranet. Others empower staff to call out risky security behaviour.

 

Other methods are more formal, such as adding a clause to contracts making good security behaviour a job requirement, though organisations must be willing to back that up with disciplinary action. Another attendee said his organisation holds monthly security seminars, to which every department must send a delegate who reports back on what was discussed.

 

A matter of culture

 

The right incentives, and their effectiveness, will depend on organisational culture. Beary explained how some organisations in the Oil and Gas sector can instil good security behaviour by making it an extension of the existing safety culture.

 

All attendees said security culture is contingent on buy-in from the top, with senior leaders often prioritising security concerns once they learn how incidents have affected other organisations in the same sector. The prospect of reputation damage, loss of revenue or, at worst, organisational collapse, can focus minds.

 

Leaders want metrics, but most attendees said this was lacking in their organisation. They know who opens phishing emails, but they need a more comprehensive and robust view of security behaviours and human cyber-risk. Beary highlighted that many organisations already have the data they need to develop this understanding. It’s just not being used for this purpose. Modern human risk companies such as CybSafe are disrupting by building applications that harness the data in existing security and productivity tools to deliver detailed human risk insights and more personalised interventions.

Attendees are keen to reach that goal, but the consensus was that there is more work to be done in getting there.