BLACK HAT 2019 – Las Vegas – As human error continues to top data breach causes, security leaders grapple with how to get employees to care about, and adopt, stronger security habits.
"When you think about the ways how you could lower that number, the first thing that comes to mind is training," said Aika Sengirbay, current security awareness program manager at Airbnb and former senior security engagement specialist at Autodesk, in the Black Hat briefing "It's Not What You Know, It's What You Do: How Data Can Shape Security Engagement."
"But compliance-focused trainings are not enough to change human behavior, and especially not enough when it comes to security behaviors," she added. Noticing the old way of training was "broken," Autodesk sought new ways to improve its employee security training strategy.
Companywide trainings, often done to "check the box" on security awareness, are not typically measured and don't offer a way to track improvement. All employees receive the same general training, which fails to engage and rarely drives progress. They wanted the new methodology to recognize their skill levels, respect their time, and motivate them to learn about security.
To accomplish this, the Autodesk teamed up with Elevate Security. Their first step was to create a list of desired employee behaviors: handle sensitive data, patch, increase reporting, and use multifactor authentication and VPNs, said Elevate co-founder Masha Sedova.
"If you had a magic wand, what would your employees be doing right now?" Sedova asked the audience. "These end up actually being mindsets; they're not things you can measure in a tangible way." This "master list" became a bank of open-ended behaviors they wanted to see.
Step two drilled into "vital behaviors," which required the team to create a list of questions to prioritize worker activity: "What would be the most damaging to your company?" for example. "What are your most frequent incidents?" "What do your stakeholders care most about?"
Step three was to find data to measure progress and inform future strategies, Sengirbay said. The team ran internal phishing assessments, worked with incident response teams to identify suspicious messages, and consulted with enterprise device admins to see who used password managers. They pulled from the learning management tool to see who had completed training.
An employee was considered "successful" if they had not submitted their credentials to a phishing page, sent sensitive data through appropriate channels, installed and used a password manager within the 30 days prior, and completed the required training.
This all contributed to the "Individual Security Snapshot," a program designed to present employees with prioritized security behaviors, identify strengths, provide recommendations for training, and reward behaviors. A considerable amount of effort went into creating a dynamic scoring system that was culturally relevant and ongoing, and urged people to change their actions.
"How do we communicate this in a way that actually shifts behavior?" said Sedova of employees' security feedback. The team wanted their scoring system to be on a sliding scale so people would know they could change it with ongoing good behavior, similar to a credit score. They illustrated the scale with dragons: Poor security habits earned them a "flimsy" dragon on one end of the spectrum; strong habits made them an "indestructible" dragon on the other.
To add incentive, they leveraged social proof, which uses the context of what other people are doing to influence someone's decision. For example, one alert informed employees they were "3.2 times more like to fall for a phish" than others in the department. Another said "12% of your department has installed LastPass" and mentioned Autodesk's CEO was using the tool.
"We're tapping into the things that make us all human," Sedova explained. Amazon reviews work the same way: If you know someone else is using something, you're likely to try it.
Security Snapshot reinforces good behavior by awarding employees virtual badges when they do things like detect all of their phishing email, report suspicious behavior, or complete a training. This intrinsic motivation doesn't work for everyone, Sedova said, but it's effective for many.
"As a security professional, I've seen security teams do a great job of punishing people who do the wrong thing" but rarely tell employees when they do something right, she added.
The Snapshot approach worked. Sixty percent of employees were willing to engage with Snapshot emails, Sengirbay said. Each email shifted the average security score across the organization. Autodesk was ultimately able to increase the number of people with scores of 70 or above by 170%. Researchers noticed low performers only had a 17% open rate of the emails, while those with higher scores and better security practices had a 58% open rate.
"Data can help us see what reality is and stop driving our awareness programs based on assumptions we have," Sengirbay added. With contextual information to inform their training strategy, the researchers saw opportunity for changes they didn't know they needed.