For too long, creating security awareness has been an afterthought, something security executives did in their...
spare time after putting out the operational fires that sprang up around them with alarming regularity. Those executives are coming to realize, however, that their neglect of the human aspect of security awareness is one of the reasons that incident numbers are not declining despite increased adoption of technological controls.
Unfortunately, many security executives perceive little improvement when they do focus on awareness, and understandably so. Often, they snatch at the opportunity and overcommunicate, leaving staff overwhelmed and confused. Others deliver their messages in a way that is not compelling, and nearly all security executives track the wrong metrics.
How do you engage the "human firewall"? When you need to develop an awareness program today, is your first instinct to run to your colored markers and start drawing posters, listing the top 10 things that staff need to remember?
You shouldn't be thinking about simply creating an "awareness campaign," but an ongoing behavioral program that continues throughout the employee's time with the organization. This means developing a comprehensive approach that lays down the awareness of security principles as the foundation of good behavior rather than as the end goal.
Four questions behind the makings of a human firewall
At a minimum, your staff needs to understand the risk scenarios to look out for, the desired behavior when those scenarios are evident, and the corporate and personal consequences of noncompliance. If you are reviewing your security awareness program, first ask your marketing team to give you a crash course in behavioral science and then work through the following questions:
- "What problems are we targeting?" Use your risk assessment methodology to consider the major issues facing your organization right now and evaluate how staff behavior can exacerbate or mitigate those risks. Your strategy can't hope to address all of the issues in one step, so create a cycle of continual improvement (i.e., touch, reinforce, review and repeat, if necessary).
- "What behaviors are we hoping for?" Once you know which actions or inactions contribute most to the risk profile of the organization, you can develop a list of desired behaviors and identify the elements that need to be in place to make these easy to follow and act on.
- "What staff members are we targeting?" Although it's important to get the best return for communication efforts by appealing to the masses, some messages will lack relevance, and therefore impact, unless they're tuned to a specific audience.
- "What tone will work with the staff?" No two organizations are the same, and neither are the cultures and contexts in which they operate. Generally speaking, consider four tone types to guide the tone of your messaging: straight/direct, humor, wit and intrigue/storyline.
For your strategy to be successful, you will need to get the support of upper management. The importance of this step is crucial in setting the cultural expectations that drive staff's motivation to comply. This means that executive management must understand the importance of the program and, ultimately, be visible advocates for it. The slew of recent security breaches has raised board-level awareness to unprecedented levels, with 70% of IT security decision makers noting this as a tangible result of recent hacks, so this isn't a bad time to go seek support.
The board must also commit to mandatory training and ongoing education. New exploits, vulnerabilities and hacking techniques constantly appear, threatening the security controls of corporations around the world. Staff members need to be aware of the current situation or their perspective will become dangerously out of date. Also, an organization is made up of many different types of people in many different roles; while it's true that some staff members may be a higher profile target than others, even the lowest-level computer user can be the gateway to disaster.
Engage the human firewall with gamification
To ensure that your workforce doesn't miss security messages, focus on three critical aspects of the messaging campaign: frequency, relevance and engagement. It's alarming how many times staff may need to be told before they remember, but this can be reduced if you carefully crafted the message to relate to their circumstances and consider the time and place of employee engagement.
More on cybersecurity
Former White House CIO on CIO role in cybersecurity
Cybersecurity tops board member concerns
The state of U.S. cybersecurity legislation
Remember that the content of the security awareness program doesn't need to be boring and contrived. Successful awareness programs develop (or purchase!) content that is actually engaging and relevant for its audience. It calls out messages that are personal to employees and clarifies why these behaviors are important to both the firm and the individual. Strong programs also seek to reinforce the message by using "teachable moments" and constant feedback -- these are opportunities that deliver education in the work context. For example, if an instructor simply tells a driver the best ways to drive for fuel efficiency, the message will soon be forgotten once the driver is on the road. However, if the car constantly reminds the driver when to change gear for maximum efficiency and provides constant miles-per-gallon statistics, the driver's behavior is much more likely to change. This is a small step into the world of gamification!
Opportunities exist to bring gamification into the workspace, constantly encouraging good behavior. Examples include rewards for the team with the strongest passwords each quarter, the fewest data loss prevention alerts or one of other related metrics.
It's time to throw away your lingering security awareness skepticism. Don't believe the naysayers -- the human firewall isn't broken. We've just been programming it incorrectly for too long. Change your mentality and focus on behavioral change, and you will start to see the benefits.
About the author
Andrew Rose is a principal analyst at Forrester Research, serving security and risk professionals. He will be delivering a keynote at Forrester's Forum for Security and Risk Professionals, May 6-7, in Washington, D.C.