As IT organizations struggle with the security implications of remote working arrangements and the already lackadaisical attitudes about security that permeate across the enterprise user base, now is the time to change how security teams influence their users' behavior. So say experts at Information Security Forum (ISF), which this week released new guidance on how to move beyond tepid security awareness training toward more all-encompassing strategies.
Most security leaders still struggle to develop security education and awareness initiatives across the workforce resonate with users and promote sound security behavior, ISF reports. Some 65% of the ISF membership, on which its report is based, say their employees' receptiveness to existing security training is very low to medium. Some of the biggest challenges named by these respondents include a lack of applicability to job roles, mixed or inconsistent messages, and poorly developed content.
In the report "Human-Centred Security: Positively Influencing Security Behavior," ISF recommends organizations not only overhaul their security training programs, but also fundamentally change the role training plays in prodding employees to make consistently secure choices both in the digital and physical world. Central to that is taking up the mantle of secure behavior by design.
The concepts of "safe by design" or "secure by design" are well-established psychological enablers of behavior. For example, regulators and technical architects across the automobile and airlines industries prioritize safety above all else.
"This has to emanate across the entire ecosystem, from the seatbelts in vehicles, to traffic lights, to stringent exams for drivers," says Daniel Norman, senior solutions analyst for ISF and author of the report. "This ecosystem is designed in a way where an individual's ability to behave insecurely is reduced, and if an unsafe behavior is performed, then the impacts are minimized by robust controls."
As he explains, these principles of security by design can translate to cybersecurity in a number of ways, including how applications, tools, policies, and procedures are all designed. The goal is to provide every employee role "with an easy, efficient route toward good behavior."
This means sometimes changing the physical office environment or the digital user interface (UI) environment. For example, security by design to improve phishing susceptibility might include implementing easy-to-use phishing reporting buttons within employee email clients. Similarly, it might mean creating colorful pop-ups in email platforms to remind users not to send confidential information.
"As a starting point, an individual will always choose to be productive in their current role over behaving securely. If the security element of an end-to-end process adds additional friction, this needs to change," Norman says. "Once additional risks have been identified, organizations will be better positioned to redesign the digital and physical environments to guide, motivate, and enable individuals to behave securely."
Central to the push to security by design is keeping the importance of user experience in UIs top of mind.
"This is the visual interface of which an individual may be exposed to any number of threats that could potentially result in a security incident," he says. "The design of these systems must enable them to effectively manage and mitigate threats or report potential incidents as quickly as required."
Security by design is the backstop to solid security training, which should still play a vital role in human-centered security initiatives. But training needs to be revamped at most organizations to make a difference. ISF believes organizations need to buckle down and improve their training content to be more tailored to employee roles, focusing on high-risk user groups first. Behavioral psychology and educational research also indicates that to be more effective, training needs to be more emotionally engaged and more frequently delivered.
Security teams need to be aware that these awareness programs are a huge opportunity to win or lose the hearts and minds of employees much in the same way marketers communicate brand values to buyers, says Lisa Plaggemier, chief strategy officer at MediaPro, a cybersecurity and privacy education provider.
"If the 'brand' of your security team isn't to be approachable, helpful, and add value, you won't be included in projects where you really do need a seat at the table," she says. "Your training and awareness program is the most visible thing your security team does, so use it to show that you want to work with the business, not against it, and that you're friendly and approachable."
Unfortunately, many security teams who understand this and want to reinvent the security brand with better training aren't allowed to due to organizational politics, Plaggemier says. They fail to make meaningful changes to security awareness training because corporate communications or human resources have too much veto power on the matter.
"Every week I talk to very talented training and awareness professionals that would like to push the envelope and do something creative that gets people's attention, and their good ideas get shot down or watered down to the point of no longer being engaging," Plaggemier says, explaining that security organizations are going to have to fight for more autonomy to make a difference. "If the security team is responsible and accountable, we also have to be empowered to run the program."