To demonstrate why security awareness training so often fails, it’s worth conducting a quick thought experiment.
Imagine you’re a smoker and, one day, you find out you’re genetically susceptible to lung cancer. Thanks to your genes, you’re two-three times more likely to contract lung cancer than the average person.
The elevated risk has nothing to do with your record of smoking – but continuing to smoke increases the risks even further.
Given the situation, do you think you’d be more or less likely to quit smoking than other smokers?
Studies shows that, actually, you’d be just as likely to continue smoking as others. Your new knowledge wouldn’t change your behaviour.
Could this also be why security awareness training sometimes fails?
The problem with traditional security awareness training
As we’ve discussed elsewhere, traditional security awareness training usually focuses trying to raise security ‘awareness’. Increasing people’s knowledge of the risks is the goal. It’s mostly assumed that, if people are aware of the risks, they’ll start behaving in a secure manner. Unfortunately, the assumption is flawed.
Increasing security awareness rarely changes security behaviours. People can spend days learning about security threats only to return to their desks and consciously ignore security warnings.
Security awareness training that changes behaviour
Changing people’s behaviours and building a culture of security aren’t as simple as increasing security awareness. The latter can be achieved through a series of simple comprehension exercises.
By contrast, to change people’s behaviour, your security awareness campaigns should be fuelled by insights from the world of behavioural science. Here at CybSafe, we went as far as building our own cyber awareness platform with a team of psychologists and behavioural scientists – to ensure our platform changes people’s behaviour in practice.
Insights from behavioural science help explain CybSafe’s unique focus on emotional engagement: rousing emotions has been proven to bring about behavioural change. CybSafe combines emotional engagement with pioneering psychological interventions to change people’s behaviour. Through simulated attacks,the changes are visible.
Security awareness training that encourages a secure culture
Cultural change is just as important as behavioural change, and there are a number of simple ways you can nurture a culture of security through your own security awareness campaigns. Training everyone, engaging the board, demonstrating the value of security, highlighting the personal benefits of security, facilitating questions and increasing face-to-face interaction, all play a part.
Arguably most important of all, though, is quantitatively measuring culture. It’s only by measuring culture today and then culture tomorrow that you can be sure culture is moving in the right direction.
Just as CybSafe tracks behavioural change, it tracks cultural change – and then goes one step further. CybSafe’s unique analytical focus allows the platform to harness the power of machine learning and AI. It’s a truly intelligent platform that evolves in line with both the threat landscape and the needs of your organisation.
Why good security awareness training is so important
In the interests of balance, it’s worth pointing out two things.
First: security awareness training is improving. Where security awareness training has historically taken the form of ticking a compliance-shaped box, increasingly, campaigns focus on awareness, behaviour and culture. Increasingly, companies are implementing security awareness training to demonstrably reduce cyber risk.
Second: when security awareness training works, it has the potential to nullify threats that technological defences cannot. Every time someone reports a malicious email, they save a great deal of heartache. Heeding security warnings, using VPNs, setting strong passphrases, challenging identities; combined, the actions of vigilant people save reputation, financial and emotional distress countless times over every single day.
So while security awareness training sometimes fails, when it focuses on the ABC of information security, it does a lot of good. And society as a whole needs more people to move towards meaningful training quickly.
Focusing solely on increasing security awareness makes life easy for criminals. By focusing on awareness, behavioural and cultural change, your campaigns can prevent advanced attacks and keep people safe.