According to experts in the field, traditional security awareness training cannot create lasting changes in user behavior. Instead, organizations should build their security culture by incorporating lessons learned from recent research into human behavior.
Speaking at Infosecurity Europe 2023, Unilever Senior Cybersecurity Awareness and Engagement Manager Charlie Sinclair and ThinkCyber CEO and Co-Founder Tim Ward argued that techniques such as nudge theory could replace traditional We explained how e-learning is a better tool for changing workplace behavior. program.
Employees are much more likely to respond to programs that are timely or encourage avoidance of risky behavior than programs that punish mistakes.
Ward said that for the “nudge” to work, change programs need to be simple, engaging, social and timely. Tools like anti-phishing messages and security alerts should soon be available.
As behavior becomes more risky, for example, from clicking on questionable links to filling out sensitive information on forms, messaging can become bolder and more visible. . It should also be easy for staff to report suspicious emails and admit mistakes.
“We are not just delivering content, we are changing behavior,” Ward said. “Annual Security Awareness” [training] While not timely, reporting buttons and banners are effective. Even the simple act of changing your color palette every three to six months can keep your message fresh.
Read more about Information Security Europe: ThriveDX Launches Corporate Cyber Academy to Address Skills Shortage
According to Ward, 80% of security issues can be attributed to just 10% of users. Sinclair noted that these users are often “disconnected” from workplace security issues. “These are people who make mistakes and don’t tell them,” she says. “Even with training, they won’t listen.”
The group needs a more customized approach to raising security awareness, she argues. Subjecting all employees to the same messaging and phishing tests rarely works.
“Security culture is not traditional e-learning. It needs to focus on psychology and how it works,” said Sinclair. “We need to accept that humans pose risks and understand how to deal with them.”
A security program should be based on an understanding of risk. If an organization can quantify risk, it is more likely to attract and retain the attention of colleagues. A social element can also help, such as sharing that the department has successfully stopped a certain number of phishing attacks.
Security departments should also consider using multiple channels to communicate, such as email and Microsoft Teams. The best way to warn someone of a security risk is when they are using that application. “Messages should be timely and relevant,” Ward said.
