To demonstrate why security awareness training so often fails, it’s worth conducting a quick thought experiment.
Imagine you’re a smoker and, one day, you find out you’re genetically susceptible to lung cancer. Thanks to your genes, you’re two-three times more likely to contract lung cancer than the average person.
The elevated risk has nothing to do with your record of smoking – but continuing to smoke increases the risks even further.
Given the situation, do you think you’d be more or less likely to quit smoking than other smokers?
Studies show that, actually, you’d be just as likely to continue smoking as others. Your new knowledge wouldn’t change your behavior.
Could this also be why security awareness training sometimes fails?
The problem with traditional security awareness training
As we’ve discussed elsewhere, traditional security awareness training usually focuses on trying to raise security ‘awareness’. Increasing people’s knowledge of the risks is the goal. It’s mostly assumed that, if people are aware of the risks, they’ll start behaving in a secure manner. Unfortunately, the assumption is flawed.
Increasing security awareness rarely changes security behaviors. People can spend days learning about security threats only to return to their desks and consciously ignore security warnings.
Security awareness training that changes behavior
In order for security awareness training to be successful, campaigns must focus on more than just awareness. They must focus on awareness, behavior and culture – the ‘ABC’ of information security.
Changing people’s behaviors and building a culture of security isn’t as simple as increasing security awareness. The latter can be achieved through a series of simple comprehension exercises.
By contrast, to change people’s behavior, your security awareness campaigns should be fuelled by insights from the world of behavioral science.
Security awareness training that encourages a secure culture
Cultural change is just as important as behavioral change, and there are a number of simple ways you can nurture a culture of security through your own security awareness campaigns. Training everyone, engaging the board, demonstrating the value of security, highlighting the personal benefits of security, facilitating questions and increasing face-to-face interaction, all play a part.
Arguably most important of all, though, is quantitatively measuring culture. It’s only by measuring culture today and then culture tomorrow that you can be sure culture is moving in the right direction.
Why good security awareness training is so important
In the interests of balance, it’s worth pointing out two things.
First: security awareness training is improving. Where security awareness training has historically taken the form of ticking a compliance-shaped box, increasingly, campaigns focus on awareness, behavior and culture. Increasingly, companies are implementing security awareness training to demonstrably reduce cyber risk.
Second: when security awareness training works, it has the potential to nullify threats that technological defenses cannot. Every time someone reports a malicious email, they save a great deal of heartache. Heeding security warnings, using VPNs, setting strong passphrases, challenging identities; combined, the actions of vigilant people save reputation, financial and emotional distress countless times over every single day.
So while security awareness training sometimes fails, when it focuses on the ABC of information security, it does a lot of good. And society as a whole needs more people to move towards meaningful training quickly.
Focusing solely on increasing security awareness makes life easy for criminals. By focusing on awareness, behavioral and cultural change, your campaigns can prevent advanced attacks and keep people safe.