The Expert View: Security awareness and training – finding a new approach to delivery and measurement

Security awareness training is too focused on box-ticking and not enough on supporting people and creating real behavioural change, said James Beary, Sales Director of Cybsafe, introducing a TEISS breakfast briefing at London’s Goring Hotel. That might keep the regulators happy, but it doesn’t reduce cyber-risk, and can even be counterproductive.

What’s needed is a new approach to the human aspect of cyber-security, one focused on security behaviours and informed by data, Beary told the audience of senior security executives from the financial services sector.

 

Even with a change in emphasis, financial services businesses and others in regulated industries will still have to satisfy the regulators. Most attendees agreed that the regulators need to be more progressive in their expectations when it comes to the people component of cyber-security. As Beary pointed out, some of the relevant regulations are 20 years old.

 

The tick-box approach that regulations encourage can sometimes be worse than ineffective; it can be actively counterproductive. Staff find the training boring and pointless, so they resent it and do the bare minimum to get through it.

 

While they wait for regulatory change, businesses are trying to find ways to make training more engaging. One attendee said his firm had hired a company specialising in comedy to make training videos that would be entertaining. Another said they were looking at incentivising staff by offering rewards to the department with the fewest security lapses.

 

A question of culture

 

Most attendees agreed that whatever approach you take to training, culture is vital. That starts at the top. If senior leadership doesn’t emphasise the importance of good security behaviour, then they can’t expect others to do so.

 

There was some disagreement as to whether culture is enough, however. One attendee suggested that culture is the reason people stop at traffic lights even when the road is empty and there are no cameras around to catch them jumping the light. But another argued that there will always be people who won’t follow the rules, so punishment is

required. He said that at his firm anyone who repeatedly fails security tests would be dismissed.

 

Part of the reason why some people don’t do what they have been trained to do is that they don’t think it matters. Security professionals must answer the “so what?” question, as one attendee put it. If you can explain why cyber-security matters, then it is more likely that people will follow it. That means finding the right story for each employee, whether it’s an example of a previous problem the company faced or telling people how to keep their kids secure to teach good practice.

 

For most attendees, encouragement is preferred to punishment. There was general

acceptance that most people try to follow the right processes but sometimes are too busy, too stressed, or too distracted, and they make a mistake. In those situations, someone fearing punishment might try to hide what they had done, which isn’t good for the business. It is better to encourage them to report what has happened so any possible threat can be dealt with.

 

A data-driven approach

 

It is because of the risk of mistakes that some organisations are looking towards data-driven methods of changing behaviour. CybSafe, said Beary, uses behavioural data to help security teams build a picture of human risk, and an understanding of the help and support that their people need.

 

The value of being more data-driven is that businesses can identify patterns of insecure behaviour, then investigate why behaviours are as they are and how to change them for the better.

Perhaps security procedures are just too complex and difficult to follow, or maybe security messages are failing to resonate for certain groups. 

 

Security professionals can then respond with measures that target the root cause of the issue. They might simplify security procedures or tailor messaging so that it is more relevant to the group in question. For example, one attendee said that employees who deal directly with customers tend to care more about protecting customer data than those who don’t have a direct customer relationship.

 

One big change that many attendees hoped to see was action from regulators to align their requirements with approaches that have a demonstrable impact. It is something, they said, that the whole financial services sector should be asking for. Until then, businesses will need to find their own ways to improve their approach to managing this critical component of cyber-resilience and risk reduction.

---