Companies often start out delivering a security training program to meet compliance requirements driven by standards and regulation. This helps to tick the compliance check box but is unlikely to deliver the security goals and objectives your organisation requires to protect its information.
A significant proportion of those who work in information security are often keen to focus resources on delivering technical solutions. Technology alone cannot solve the security challenge and needs to be balanced along with consideration of people and process. An effective behaviour driven training and awareness program can transform your staff from a perceived security weakness to a key security strength.
This article considers what you need to deliver an effective behaviour driven programme.
Identify different target groups and training topics / needs
The threats and vulnerabilities associated with individuals and job roles will vary. Consider how vulnerable, attacked and privileged the staff are in your organisation. Use this information to target content to achieve the greatest impact (i.e. reduction of security risk). The following provides an explanation of these risk factors.
Vulnerability
Has an individual proven vulnerable to specific threats in the past such as installing malware or clicking phishing emails? If they have historically been vulnerable to a threat, without a change in behaviour (intervention) they have a higher probability of being susceptible to comparable threats in the future.
Attacked
Is an individual being actively targeted? This provides an opportunity to see which individuals or groups are being targeted and the types of attack they are experiencing. Targeting training to specifically address identified threats will deliver a far great impact than providing generic / non-specific content.
Privileged
Consider the level of privilege an individual or target group have? By privilege I mean the authority possessed by a particular individual or group. In information security this relates to the level of access they have to systems or information (read, modify, and delete). Those with a higher level of privilege are more likely to be targeted by attackers as they impact of compromising them is often far greater. The below are an example of roles that would be considered to have a higher level of privilege:
- Finance – ability to make / approve payments
- Directors – access to highly confidential intellectual property
- IT – administrative access to systems
Consider these three factors in determining the risk related to individuals or groups. You are going to need to prioritise targeting and tailored content towards those that are highly vulnerable (increased likelihood), have significant privilege (increased impact) and are being actively targeted (increased likelihood).
Whilst you have little control over whether an individual is being attacked you can reduce the likelihood and impact of compromise by increasing their capability through training / awareness and managing privilege through adherence to the least privilege principle.
Continual reinforcement of training
By delivering targeted training frequently you can increase the likelihood of improving your staff capability at identifying and responding to threats. Continual reinforcement helps to address the following challenges.
New and changing threats
The threats your organisation faces will evolve over time. Your program needs to be responsive to address new and changing threats as they happen. Failure to adapt will reduce the overall effectiveness of the training you deliver.
Forgetting curve
Hermann Ebbinghaus (a 19th century German psychologist) introduced the concept of a forgetting curve. He identified that people forget 90% of what they have learned within a few hours after learning it. This is down to the information remaining in short term memory. Continual reinforcement of training has been proven to increase the likelihood that information learnt will persist within long term memory.
Deliver positive security behaviour change
Behaviour is the “way in which one acts or conducts oneself”. If an individual has historically demonstrated bad security behaviours, they have an increased probability of repeating those behaviours. Throughout your organisation staff will demonstrate both positive and negative security behaviours. You will need to design and deliver interventions to deliver a change to those behaviours.
Getting Started
It can be daunting to know where to start. I would suggest using the Cybsafe Security Behaviour database to get started. This provides a comprehensive cyber security behaviour database that is maintained by a global community of security professionals and academics. In time you will want to supplement this list with behaviours that are unique to your organisation.
Delivering change of behaviour
To change behaviour you will need to look into designing and implementing interventions to support in the delivery of change. Interventions are specifically designed to address factors such as capability, opportunity and motivation that are currently impacting delivery of the desired behaviours by individuals in your organisation.
Analysing behaviours and designing interventions are a significant topic that I will address within a follow up article.
Resources
If you want to understand more around changing behaviours, there are some great resources available. There is a practical guide available covering the Behaviour Change Wheel. This will help you to analyse / define behaviours and design / deliver interventions.
The Information Security Forum (ISF) have produced a number of whitepapers covering Human Centred security. These are well worth a read and are specifically targeted at Information Security. They provide detail related to initiatives that can help deliver effective security interventions.
Summary
I often hear a level of frustration from those working in Security Education, Awareness and Training (SETA) due to being afforded limited resources to operate their programs. By shifting the focus to delivering security behaviours you will be able to demonstrate the value that your program is delivering and in doing so can produce a stronger business case for greater levels of investment.
Human-centred security is a hot topic in the information security world. Its great to see those in security learning from other professions such as psychology in order to increase the effectiveness of their own initiatives.
By building out measures to track behaviours you will also be creating an invaluable data set that will not only help you identify past behaviours but will also support in the prediction of future behaviours.