Companies need to move beyond security awareness and training (SA&T) efforts to find ways to reinforce security concepts at the right times, security experts said this week.
While security awareness and training (SA&T) programs are an effective first step in raising cybersecurity awareness, the focus is too often on compliance and less on improving security — to the point that checking the required boxes is all that matters, says Russell Spitler, co-founder and CEO of cybersecurity startup Nudge Security. Security training classes are less than scintillating — employees generally dislike mandatory classes — and active phishing exercises often seem more like attempts at "gotcha," he says.
"These are approaches that set up an artificial antagonism between the organization and the employees," he says. "It is not intended to be that way, but when the people running the exercise say, 'Ah, ha! You fell for my trick!' ... It feels like such a nonproductive action."
In the midst of Cybersecurity Awareness Month, companies are increasingly realizing that they need more than SA&T and compliance to harden their workforces against the cybersecurity threats they are currently facing. The shift in perceptions follows the exodus of workers from their offices to work-from-home arrangements, in the process becoming the first line of defense against attackers.
Improving Culture, Not Just Courses
Organizations should focus on awareness, behavior, and culture — the ABCs of human risk reduction — not just courses and training, according to Forrester Research. A focus on quantifying human risks and determining those risks based on actual user behavior leads to better outcomes, the research firm stated in "The Forrester Wave: Security Awareness And Training Solutions, Q1 2022."
"With employees operating remotely or physically, security awareness is now borderless — so it’s paramount to instill a 'security everywhere' culture," Forrester's analysts wrote. "All of this is causing well-needed disruption in a long-stagnant market. Fortunately, many vendors have risen to the challenge, creating solutions that no longer function solely to train people for the sake of it."
Nudge Security, for example, is not primarily a security awareness training tool, but a method of gaining visibility into software-as-a-service usage and automating security for those services. The company grants businesses visibility into their employees' actions by scanning for emails that indicate when users have signed up for a service.
However, the service also automatically sends users reminders to reinforce good cybersecurity behavior by using context-specific interactions — or "nudges" — that iteratively improve the security know-how of the user.
"The point of those relatively simple interactions is that the opportunity for compliance is much higher when you are engaging those employees as part of your team and extending that trust," Spitler says. "We are not treating the employees as an extension of the computer. We are assuming that the employee is going to get their job done, and then we are presenting them with more context for the situation."
'Micro-Training' to Change Behavior
Nudge Security is not alone. In November 2021, the most established player in the security awareness and training (SA&T) sector, KnowBe4, acquired SecurityAdvisor, a provider of real-time behavior analysis and micro-learning. The company aims to combine the two approaches to create a "human detection and response" service that delivers training at the right moments, says Erich Kron, a security awareness advocate with KnowBe4.
"I see a future where, if an employee replies to a phishing email and includes PII [personally identifiable information] or other sensitive information, a favored tactic of bad actors, not only does the data loss prevention [DLP] control stop the information from leaving the organization, but it also triggers a short training session about protecting information and that type of scam," he says. "In those situations, the person is likely to be thankful that the technical control stopped something bad from happening but will also be motivated to learn how not to make the mistake again."
Another firm, CybSafe, has focused on changing behaviors as well, using data-based metrics and behavioral psychology to create a platform that measures specific actions and provide context-specific feedback.
"Awareness is good to have, sure, but it doesn't change behavior," the company stated in a blog post. "Yet, organizations keep assigning more traditional security awareness training to their people. Yes, we're puzzled too."
Managing and Reducing Risk
Companies involved with security awareness and training need to find better ways, not just to educate employees about cybersecurity, but measurable ways to reduce risk. Security groups should determine the best metrics to track human risk, and find improved ways to reduce that risk, Forrester Research stated in its report.
"Innovation is important to [businesses] because the way the industry has long addressed SA&T has yielded nothing but frustration for employees, eroding security's brand and goodwill," the analysts stated. "You need a different way to manage human risk, not better ways to train people."