There’s great news in the quest for improving security awareness. Help is at hand from a new joint publication from the Research Institute in Science of Cyber Security (RISCS), Hewlett Packard Enterprise (HPE) and CESG – the UK government’s National Technical Authority for Information Assurance. Awareness Is Only The First Step is a superb précis of best practice in the security awareness space. The key points are:
It’s about lasting behaviour change. Being able to tick boxes, confirm attendance at training and count the number of pens given out is all very well but the goal needs to be lasting behavioural change. It’s not enough for staff to act securely just for one day a year when the auditors are on site. But how do we get lasting behavioural change? Well, since you asked:
It’s about engagement. In many organisations, generic training materials are purchased off the shelf or put together without any serious consideration of the audience or their needs. Is it any wonder that we have a problem with engagement? Controversially, the authors state: “Static, general computer-based information security training packages do little to influence employee behaviour” and “General campaigns that repeat standard security advice—such as have strong passwords and be aware of phishing—do not work”. However, before we gather our pitchforks in defence of some of our most cherished notions, consider the evidence for engagement failures. For example, when we get people to complete a quiz after training it’s common that someone will pass around a list of answers which is enthusiastically shared. Cheating on the security knowledge test is seen as acceptable. This is telling us that people are seeing the exercise as a chore which is at the other end of the spectrum from our fantasies of business enablement. If people aren’t taking pride in understanding our messages it’s because they don’t see the value. And that’s our fault for not selling it to them.
Take a behavioural baseline before you start. The authors have created a very helpful graph (inset) which illustrates the behavioural journey that starts with unconscious incompetence, through conscious incompetence to conscious competence. And by unconscious incompetence, we’re not talking about the point about 20 minutes into your awareness briefing where most of the audience has passed out. We’re talking about people in your organisation that don’t know that their behaviours are causing a risk. You can’t just go and train people on how to do something safely until they’re sold on the why. That’s the conscious bit.
Although the authors of this fine paper state in the opening section that “Security communication, education, and training (CET) is meant to align employee behaviour with the security goals of the organization” I’d argue that more often than not it isn’t. Often it’s just to get something done, tick a box and get to a position where non-compliance can be punished since ‘we told them so’. It was never really a serious effort to change behaviour or properly engage with the audience.
We complain when we don’t get the support we need for our awareness programs, but it’s us that need to lift our game. We need to go back to basics and get this right. The next time someone comes to you for help rolling out generic security advice, ask them about lasting behavioural change, engagement and what their behavioural baseline is.