Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/25/2020
09:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why Security Awareness Training Should Be Backed by Security by Design

Cybersecurity training needs an overhaul, though the training itself is only one small part of how security teams can influence user behavior.

As IT organizations struggle with the security implications of remote working arrangements and the already lackadaisical attitudes about security that permeate across the enterprise user base, now is the time to change how security teams influence their users' behavior. So say experts at Information Security Forum (ISF), which this week released new guidance on how to move beyond tepid security awareness training toward more all-encompassing strategies. 

Most security leaders still struggle to develop security education and awareness initiatives across the workforce resonate with users and promote sound security behavior, ISF reports. Some 65% of the ISF membership, on which its report is based, say their employees' receptiveness to existing security training is very low to medium. Some of the biggest challenges named by these respondents include a lack of applicability to job roles, mixed or inconsistent messages, and poorly developed content.

Related Content:

User-Friendly Cybersecurity: Is a Better UX the Key to a Better Defense?

The Changing Face of Threat Intelligence

New on The Edge: How Industrial IoT Security Can Catch Up With OT/IT Convergence

In the report "Human-Centred Security: Positively Influencing Security Behavior," ISF recommends organizations not only overhaul their security training programs, but also fundamentally change the role training plays in prodding employees to make consistently secure choices both in the digital and physical world. Central to that is taking up the mantle of secure behavior by design.

The concepts of "safe by design" or "secure by design" are well-established psychological enablers of behavior. For example, regulators and technical architects across the automobile and airlines industries prioritize safety above all else.

"This has to emanate across the entire ecosystem, from the seatbelts in vehicles, to traffic lights, to stringent exams for drivers," says Daniel Norman, senior solutions analyst for ISF and author of the report. "This ecosystem is designed in a way where an individual's ability to behave insecurely is reduced, and if an unsafe behavior is performed, then the impacts are minimized by robust controls."

As he explains, these principles of security by design can translate to cybersecurity in a number of ways, including how applications, tools, policies, and procedures are all designed. The goal is to provide every employee role "with an easy, efficient route toward good behavior."

This means sometimes changing the physical office environment or the digital user interface (UI) environment. For example, security by design to improve phishing susceptibility might include implementing easy-to-use phishing reporting buttons within employee email clients. Similarly, it might mean creating colorful pop-ups in email platforms to remind users not to send confidential information. 

"As a starting point, an individual will always choose to be productive in their current role over behaving securely. If the security element of an end-to-end process adds additional friction, this needs to change," Norman says. "Once additional risks have been identified, organizations will be better positioned to redesign the digital and physical environments to guide, motivate, and enable individuals to behave securely."

Central to the push to security by design is keeping the importance of user experience in UIs top of mind. 

"This is the visual interface of which an individual may be exposed to any number of threats that could potentially result in a security incident," he says. "The design of these systems must enable them to effectively manage and mitigate threats or report potential incidents as quickly as required."

Security by design is the backstop to solid security training, which should still play a vital role in human-centered security initiatives. But training needs to be revamped at most organizations to make a difference. ISF believes organizations need to buckle down and improve their training content to be more tailored to employee roles, focusing on high-risk user groups first. Behavioral psychology and educational research also indicates that to be more effective, training needs to be more emotionally engaged and more frequently delivered.

Security teams need to be aware that these awareness programs are a huge opportunity to win or lose the hearts and minds of employees much in the same way marketers communicate brand values to buyers, says Lisa Plaggemier, chief strategy officer at MediaPro, a cybersecurity and privacy education provider.

"If the 'brand' of your security team isn't to be approachable, helpful, and add value, you won't be included in projects where you really do need a seat at the table," she says. "Your training and awareness program is the most visible thing your security team does, so use it to show that you want to work with the business, not against it, and that you're friendly and approachable."

Unfortunately, many security teams who understand this and want to reinvent the security brand with better training aren't allowed to due to organizational politics, Plaggemier says. They fail to make meaningful changes to security awareness training because corporate communications or human resources have too much veto power on the matter.

"Every week I talk to very talented training and awareness professionals that would like to push the envelope and do something creative that gets people's attention, and their good ideas get shot down or watered down to the point of no longer being engaging," Plaggemier says, explaining that security organizations are going to have to fight for more autonomy to make a difference. "If the security team is responsible and accountable, we also have to be empowered to run the program."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21354
PUBLISHED: 2021-03-08
Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is an open redirection vulnerability in the path of "https://pollbot.services.mozilla.com...
CVE-2021-21362
PUBLISHED: 2021-03-08
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses ...
CVE-2020-4695
PUBLISHED: 2021-03-08
IBM API Connect V10 is impacted by insecure communications during database replication. As the data replication happens over insecure communication channels, an attacker can view unencrypted data leading to a loss of confidentiality.
CVE-2020-4903
PUBLISHED: 2021-03-08
IBM API Connect V10 and V2018 could allow an attacker who has intercepted a registration invitation link to impersonate the registered user or obtain sensitive information. IBM X-Force ID: 191105.
CVE-2020-5014
PUBLISHED: 2021-03-08
IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. IBM X-Force ID: 193247.