Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/25/2020
09:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why Security Awareness Training Should Be Backed by Security by Design

Cybersecurity training needs an overhaul, though the training itself is only one small part of how security teams can influence user behavior.

As IT organizations struggle with the security implications of remote working arrangements and the already lackadaisical attitudes about security that permeate across the enterprise user base, now is the time to change how security teams influence their users' behavior. So say experts at Information Security Forum (ISF), which this week released new guidance on how to move beyond tepid security awareness training toward more all-encompassing strategies. 

Most security leaders still struggle to develop security education and awareness initiatives across the workforce resonate with users and promote sound security behavior, ISF reports. Some 65% of the ISF membership, on which its report is based, say their employees' receptiveness to existing security training is very low to medium. Some of the biggest challenges named by these respondents include a lack of applicability to job roles, mixed or inconsistent messages, and poorly developed content.

Related Content:

User-Friendly Cybersecurity: Is a Better UX the Key to a Better Defense?

The Changing Face of Threat Intelligence

New on The Edge: How Industrial IoT Security Can Catch Up With OT/IT Convergence

In the report "Human-Centred Security: Positively Influencing Security Behavior," ISF recommends organizations not only overhaul their security training programs, but also fundamentally change the role training plays in prodding employees to make consistently secure choices both in the digital and physical world. Central to that is taking up the mantle of secure behavior by design.

The concepts of "safe by design" or "secure by design" are well-established psychological enablers of behavior. For example, regulators and technical architects across the automobile and airlines industries prioritize safety above all else.

"This has to emanate across the entire ecosystem, from the seatbelts in vehicles, to traffic lights, to stringent exams for drivers," says Daniel Norman, senior solutions analyst for ISF and author of the report. "This ecosystem is designed in a way where an individual's ability to behave insecurely is reduced, and if an unsafe behavior is performed, then the impacts are minimized by robust controls."

As he explains, these principles of security by design can translate to cybersecurity in a number of ways, including how applications, tools, policies, and procedures are all designed. The goal is to provide every employee role "with an easy, efficient route toward good behavior."

This means sometimes changing the physical office environment or the digital user interface (UI) environment. For example, security by design to improve phishing susceptibility might include implementing easy-to-use phishing reporting buttons within employee email clients. Similarly, it might mean creating colorful pop-ups in email platforms to remind users not to send confidential information. 

"As a starting point, an individual will always choose to be productive in their current role over behaving securely. If the security element of an end-to-end process adds additional friction, this needs to change," Norman says. "Once additional risks have been identified, organizations will be better positioned to redesign the digital and physical environments to guide, motivate, and enable individuals to behave securely."

Central to the push to security by design is keeping the importance of user experience in UIs top of mind. 

"This is the visual interface of which an individual may be exposed to any number of threats that could potentially result in a security incident," he says. "The design of these systems must enable them to effectively manage and mitigate threats or report potential incidents as quickly as required."

Security by design is the backstop to solid security training, which should still play a vital role in human-centered security initiatives. But training needs to be revamped at most organizations to make a difference. ISF believes organizations need to buckle down and improve their training content to be more tailored to employee roles, focusing on high-risk user groups first. Behavioral psychology and educational research also indicates that to be more effective, training needs to be more emotionally engaged and more frequently delivered.

Security teams need to be aware that these awareness programs are a huge opportunity to win or lose the hearts and minds of employees much in the same way marketers communicate brand values to buyers, says Lisa Plaggemier, chief strategy officer at MediaPro, a cybersecurity and privacy education provider.

"If the 'brand' of your security team isn't to be approachable, helpful, and add value, you won't be included in projects where you really do need a seat at the table," she says. "Your training and awareness program is the most visible thing your security team does, so use it to show that you want to work with the business, not against it, and that you're friendly and approachable."

Unfortunately, many security teams who understand this and want to reinvent the security brand with better training aren't allowed to due to organizational politics, Plaggemier says. They fail to make meaningful changes to security awareness training because corporate communications or human resources have too much veto power on the matter.

"Every week I talk to very talented training and awareness professionals that would like to push the envelope and do something creative that gets people's attention, and their good ideas get shot down or watered down to the point of no longer being engaging," Plaggemier says, explaining that security organizations are going to have to fight for more autonomy to make a difference. "If the security team is responsible and accountable, we also have to be empowered to run the program."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: STOP LOOKING IN HERE FOR YOUR PASSWORD!!!
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28488
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
CVE-2021-22847
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
CVE-2021-22849
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...