Traditional approaches to security awareness training are ineffective in changing human behavior because they're too often focused on negative consequences and fail to motivate employees.
Despite years of publicity and millions of dollars in employee training, 'human risk' is still the largest unsolved problem in cybersecurity.
Phishing remains one of the largest insider threats that organisations face with employees unwittingly giving up personal and corporate information to malicious actors every day. No longer limiting themselves to email scams, criminals are also targeting employees on popular social media networks, instant messaging applications, and online file-sharing services.
Traditional security training does not work
Despite all efforts, research shows that awareness training makes no difference to the likelihood of an employee falling prey to a phishing attack. Deanna Caputo, a behavioral scientist at Mitre, surveyed a group of 1,500 employees utilising a mock phishing experiment.
"If an employee clicked a phishing link they would receive training as a result. When they received a future phishing email, whether or not they received training, had no impact on their performance."Going Spear Phishing: Exploring Embedded Training and Awareness
The reason why security training does not work
Traditional employee security training does not work because it does not tap into employee motivation.
"If I'm not motivated to learn the information needed and choose to apply it, I will not change my behavior."
"If you go in almost any organisation today, you will find the same approach to this problem, and that is [the] employees taking a one-size-fits-all annual security training that they mute, skip through to the end and brute-force the quiz questions and it's showing to be ineffective."
Masha Sedova, co-founder Elevate Security
Knowledge is not enough
Human convenience beats the human conscience every time. An example can be seen with attitudes towards password security, says Sedova.
"We assume as security practitioners, if they just knew more, they would do something differently. Lastpass did a study in 2017 and interviewed hundreds of users of their platform and found a huge proportion know what a secure password is - 91%. Yet, when you take a look at the passwords they have, they choose easy-to-remember or reuse them a huge percentage of the time - 61%."
Game or Shame - how to teach employees effectively
What it would look like if employees wanted to do security, instead of being forced?
There are three techniques that security teams can use to reduce human risks according to Sedova. These are social proof, gamification and positive reinforcement.
1. Social Proof
Social proof refers to providing evidence to a group that their peers are behaving a specific way. Elevate Security's research applied social proof to phishing, reporting and password manager adoption.
"By taking data sets of what employees are doing in an organisation, you can compare every employee's actions to their peer groups. When we compare actions to people we know, we are more likely to change our behaviours."
Gamification makes adopting a new culture an fun experience. It provides an element of challenge and rewards aligned attitudes and actions. Examples of gamification are competitive quizzes, leaderboards, 'spot a scam' challenges, or using security strength charts to compare employee behavior.
"Gamification is taking a part of the things that make gaming successful and applying it to business. Why not use those methods in security too? What if we had something in our organisation, say, number of days since last malware infection?"
3. Positive Reinforcement
While negative reinforcements such as shaming and punishment can change risky behaviors, studies indicate they have damaging side effects such as reducing employee morale.
Positive reinforcement shows that the organisation values security in a meaningful way. It means taking the time to affirm positive behaviour demonstrated by employees. It encourages dialogue and peer-to-peer encouragement and support.
Rather than security being another box to tick, or something that has to be gotten out of the way as quickly as possible, it is instead presented as an ongoing culture of care. Employees are given positive feedback for taking care of the organisation and protecting it from risk.
Also consider UEM and Wandera for endpoint security
UEM works in tandem with a mobile threat detection and response product. MobileCorp recommends Wandera for endpoint and network security, and data policy compliance for enterprise mobility. Wandera is the world’s largest provider of security for remote workers. Learn more
MobileCorp is an enterprise ICT solutions company with a mission to deliver our customers a communications technology edge. We provide Managed Mobility Services, Mobile Security, Complex Data and IP Networks, and Unified Communication solutions. We have a proven track record providing managed services for Australian enterprise and business, and we are a Telstra Platinum Partner.