Security awareness programs: The difference between window dressing and behavior change
CISOs are responsible for pursuing cybersecurity purchases that align with the overall health of their organizations. All investments must drive tangible value and ROI while also contributing to the organization’s overall security posture.
Security awareness training is a hotly debated topic for this reason. Historically, cybersecurity awareness has been either compliance-mandated or something a business that recently experienced a data breach or ransomware attack purchases.Part of the reason for this is that it’s difficult to pinpoint the effectiveness of such training efforts.
So, rather than investing in initiatives that will result in a genuine behavior change, they put their dollars into compliance-focused initiatives like long seminars centered around hypothetical scenarios, leaving security leaders with an unclear understanding of the program’s effectiveness.
Users, too, often resent having to go through security awareness training. In other words, the investment in most security awareness programs is window dressing – something that looks good but is a false front.
Evaluating standard awareness initiatives
Cybersecurity awareness training is critical to businesses, particularly those operating with blended workplaces. Human actions account for 90% of all security incidents, so CISOs can quantifiably reduce their overall security incidents by upgrading the “human firewall.”
Businesses that run “check the box” compliance programs will see little value from them; however, organizations can achieve significant ROI from security awareness training with the proper strategy in place.
When evaluating standard security awareness initiatives that most enterprises have rolled out, most train employees exclusively with phishing simulation exercises and online learning modules.
The expectation that these initiatives will reduce phishing compromises and prevent users from clicking on insecure links is unrealistic. A typical enterprise runs an average of four phishing campaigns per employee. The phishing click rate typically tends to reduce rapidly in the early days but does not last.
Our data indicates that the first campaign has a click rate of about 25% but whittles down to about half of that by the fourth campaign. However, the decrease eventually slows and stalls around 5%. Unfortunately, it only takes one user to click on a malicious link to result in a successful breach.
This data shows that implementing awareness and phishing simulations alone does not guarantee positive action among all employees.The simple explanation for this is that every worker is bombarded with emails and decisions to make with minimal time.
It’s easy to understand how someone would not weigh all information available to them before deciding to click on a potentially risky link.
Ensuring behavior changes with personalized security awareness programs
Instead of merely checking the annual compliance security box, good security awareness programs are focused entirely on real-world outcomes and results.
To achieve measurable results, companies need to make a real change in educating employees on cybersecurity and their role in protecting their companies.
The core issue with “cookie-cutter” security training, in which all employees receive the same phishing simulation, is that they often do not target at-risk users at the critical moment when a potential attack is in progress. Nor are they conducted with enough frequency to remain top of mind for employees.
By implementing policies, controls, and technologies that focus on the individual, organizations can more effectively teach employees the right behaviors that will result in a cyber-savvy culture.
The following three steps will help CISOs embrace a behavior-based approach:
- Personalize content for employees. Leveraging data based on an individual worker’s risk profile, role, and awareness needs paves the way for CISOs to build tailored awareness campaigns. Often, this is something they can easily do with the technologies their organization already has. For example, existing security and IT tools help create employees’ risk profiles, while HR systems and Active Directory provide context on employee roles. By implementing quick employee surveys, we can also understand the awareness needs of specific employees.
- Don’t focus solely on phishing. The world moving away from email to cloud-based communications tools has expanded the attack surface for CISOs. Good security awareness training programs should engage employees across multiple apps and activities, including the use of peer-to-peer software, personal cloud storage, public Wi-Fi, risky apps, or visiting compromised websites.
- Start tracking and measuring multiple metrics. Beyond reduced phishing incidents or malware infection rates, tracking specific actions – such as the number of users who have turned on 2FA or using a password manager – helps CISOs monitor actual employee behavior changes.
Taking a behavior-based approach to security awareness training is more effective than traditional initiatives, reduces costs, and provides a measurable ROI for organizations. Consider lane assist technology. While the reason why a driver might drift into another lane can range from fatigue to inattention to an inability to see the lines, alerting drivers exactly when they might be dangerously drifting into another lane helps drivers avoid a collision.
Personalization works similarly. While the reason for a breach might vary from employee to employee, personalization helps employees internalize that their behavior is risky and to think twice before engaging in that behavior.
Self-awareness leads to a reduction in the number of incidents an organization’s security team has to investigate. Fewer incidents mean teams spend much less time and money to fix these breaches.
Cybersecurity awareness training programs aren’t a sunk cost – they can deliver significant value if executed correctly. While there is no silver bullet to solve our time’s cybersecurity issues, targeted personalized security awareness programs can significantly reduce the cyber risk of enterprises.