We often hear people are the weakest link when it comes to cyber security. It doesn’t matter what software, legislation, or fines you have in place – there will always be human error. This has become a major source of cyberattack vulnerability, and has had some role in the recent attacks crippling Aussie companies right now. But, security is everyone’s responsibility, with a strong security and risk culture within an organisation, people can be the strongest link.
When we talk about security culture and security behaviour, we may have the best intentions and think we have been adequately trained, but still not behave in the desired way. We can learn from behaviour scientists on how to positively affect a security culture or build a strong security culture by using techniques that have worked in behaviour science for many years.
Good security culture starts with Behaviour Design
Anyone who has run security awareness programs for a while knows that changing human behaviour is not an easy task. And that sometimes the problem with awareness is that “awareness” alone does not automatically result in secure behaviour. Let’s look at the challenge of building a security culture through the lens of behaviour design.
BJ Fogg’s much-quoted behaviour change design model neatly outlines that behaviour happens when three things come together at the same time: Motivation, Ability, and a Prompt which could be a reminder or a nudge to do the behaviour.
Fogg’s Behaviour Model highlights three core motivators: Sensation, Anticipation, and Belonging. Each of these has two sides: pleasure/pain, hope/fear, acceptance/rejection. These core motivators apply to everyone; they are central to the human experience.
Let’s try apply these to cybersecurity:
- Tapping into people’s emotions by using visually appealing content, engaging with humour and story-based techniques, and activating positive sensations. Humour is a great technique to grab attention, evoke positive emotions and help with memory retention.
However it has to be applied carefully and with a sensitivity to the audience’s cultures, or else it can backfire. Also, it shouldn’t be used too much, as it could result in the audience not taking the core message seriously enough.
- Fear can be a powerful motivator too. Show what could happen when. However, too much of it can result in apathy and needs to be underpinned with the notion that it is simple to defend.
- Using the power of leadership or celebrity to tell stories and invoke a sense of belonging and motivate people to want to know more.
- Making it personally relevant by providing information on how to protect kids or family members
BJ Fogg says that training people is hard work, and most people resist learning new things. That’s just how we are as humans: lazy. Give someone a tool that makes the behaviour easier to do. A great example is a password manager. This is a tool that takes care of desired behaviour and simplifies the complexity of having to remember multiple different passwords.
KnowBe4 recently launched an innovative product called SecurityCoach, which helps IT/security professionals to develop a strong security culture by enabling real-time security coaching of their users in response to risky security behaviour. It works by leveraging a firm’s existing security stack, IT/security professionals can configure their real-time coaching campaigns to immediately deliver a SecurityTip to their users related to a detected event.
What is clever about SecurityCoach is that it provides an organisations users with contextual, real-time coaching and advice that reinforces security awareness training and policies, improves knowledge retention and helps them understand the risks associated with their behaviours. This is a another great tool to help end users enhance their cybersecurity knowledge and strengthen their role in contributing to a strong security culture.
The concept of prompt has different names: cue, trigger, nudge, call to action, request, and so on and they all have the purpose to remind and tell people to “do it now”. An example are the password strengths meters reminding people to come up with better passwords.
When designing an awareness campaign, it’s important to consider where prompts may be used. For example, in the moment nudges, such as when users look at emails while on the go or when they are about to send a large file to someone externally. When it is possible to combine the three elements of motivation, ability and prompts, changing behaviour is a much more likely outcome than just spreading awareness content and hoping for a result.
Now you can identify how to influence behaviour design, look at security culture in your organization, is it the one you want? Every firm already has one. The challenge is to understand it as it stands, define what you want it to be and go about making that happen.
To understand the security culture you have today, you need to ask some questions, make some observations and take the time to document what you discover. Start by asking: Do your people understand the impact to your organization if a breach were to happen?
Are they aware of the cyber threat landscape? Do they lock their devices when they step away? Do they follow existing policies (internet usage, clean desk, reporting incidents, etc.)? How do they respond to phishing and other social engineering? Do they consistently create insecure workarounds (use a personal Dropbox or unsecured personal devices, etc.)?
It’s time to define what your organization’s security culture should be. The KnowBe4 Seven Dimensions of Security is a great place to start as it looks at the following elements:
- What attitudes do you expect your people to have towards security?
- What behaviours are you wanting to change or see?
- Do your people have an understanding, knowledge and sense of awareness?
- How do you go about communicating with your people and do they feel like part of the solution?
- Have you considered and included your people in your policies and do they know what to do?
- When it comes to the unwritten rules of conduct at your organization, have you thought to include (cyber)security?
- Lastly, and perhaps most importantly, as without it you are doomed to fail, do your people understand why cybersecurity is everyone’s responsibility and that they have a critical role to play?
Once you have the answers to these questions, you are well on your way to nurturing the security culture that you want. The next step is to ask your people questions using our Security Culture Survey from our Security Culture Report 2022, which gives you a baseline for the Seven Dimensions of Culture. Ask, does my organization care about security?
Which areas of the business are least and most security-minded? Which employees are most risk-averse? How strong or weak is our security culture? In what part of our organization do we need to improve security culture? And, how effective is our security culture programme?
In addition to answering operational questions, the Security Culture Survey provides you with indicators for reporting your firm’s security posture to the board or executive. It also gives you a starting point to implement awareness, education and training across your business.
Building a positive security culture as defined by you is an effective mechanism to influence your users’ behaviour and, thereby, reduce your organization’s risk and increase resilience.