Changing Employee Security Behavior Takes More Than Simple Awareness

Designing a behavioral change program requires an audit of existing security practices and where the sticking points are.

Security awareness rarely leads to sustained behavior change on its own, according to a recent analysis – meaning that organizations need to proactively develop a robust “human-centered” security program to reduce the number of security incidents associated with poor security behavior.

According to the Information Security Forum (ISF), the information security industry is playing catch-up when it comes to positively influencing behavior – the proliferation of remote-working arrangements, exacerbated by the stress associated with the pandemic, has underlined the importance of strengthening the human elements of security.

In its digest released this week, entitled “Human-Centered Security: Positively Influencing Security Behavior,” the ISF laid out four elements that can move the needle on security behavior:

  • Understanding the key factors that influence employees’ security choices
  • Delivering impactful security education, training, and awareness
  • Designing systems, applications, processes, and the physical environment to account for user behavior
  • Developing metrics to measure behavior change and demonstrate return on investment

How to shift to a human-centered approach. Source: ISF.

“Errors and acts of negligence can cause significant financial and reputational damage to an organization, with many security incidents and data breaches originating from a human source,” said Daniel Norman, senior solutions analyst at the ISF, and author of the report. “A human-centered security program helps organizations to understand their people and carefully craft initiatives that are targeted at behavior change, reducing the number of security incidents related to human error and negligence.”

A successful program leverages cross-departmental collaboration to fully grasp the current state of security behavior, which subsequently enables organizations to target investment to mitigate the identified risks.

Top elements influencing security behavior. Source: ISF

Lisa Plaggemier, chief strategy officer at MediaPro, noted that in large organizations, where there are multiple reviews before awareness can go out to employees, there are a few specific issues to consider in this regard.

“The security team lets corporate communications or human resources have too much veto power,” she said via email. “I frequently talk to very talented training and awareness professionals that would like to push the envelope and do something creative that gets people’s attention, and their good ideas get shot down or watered down to the point of no longer being engaging. I know of one large company that wanted to move from one hour once a year training, to shorter trainings over the course of the year.  This is considered the norm for any mature security awareness program, but even that was shot down by corporate administrative functions (like HR) that have no responsibility for securing the organization. If the security team is responsible and accountable, we also have to be empowered to run the program.”

Some top pitfalls to avoid, according to Plaggemeir, include:

  • Letting perfection be the enemy of good. It’s better to do something, even if it’s imperfect, than to do nothing or spend too much time in limbo in corporate reviews and sign offs.
  • Under-communicating. Don’t assume everyone is reading everything you put out.
  • Poor writing and bad design. No one wants to read verbose security newsletters in 10 point font with no graphics.

An example of successful security behavior redesign. Source: ISF

“If the ‘brand’ of your security team isn’t to be approachable, helpful and add value, you won’t be included in projects where you really do need a seat at the table,” she said. “Your training and awareness program is the most visible thing your security team does, so use it to show that you want to work with the business, not against it, and that you’re friendly and approachable.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles