According to the Information Security Forum (ISF), the information security industry is playing ‘catch-up’ when it comes to positively influencing behaviour – the spread of remote-working, worsened by the stress produced by the pandemic, has re-enforced the importance of improving the human components of security.
To design a behavioural change program needs an audit of existing security practices & finding exactly where issues are.
Security awareness seldom leads to sustained behaviour change alone, says a recent analysis, so organisations need to ‘proactively develop’ a robust “human-centred” security program to reduce security incidents directly linked to security behaviour.
In its report published this week, titled “Human-Centred Security: Positively Influencing Security Behaviour,” the ISF described 4 elements that can improve security behaviour:
The 4 Elements
- Understanding the key factors that influence employees’ security choices
- Delivering impactful security education, training, & awareness
- Designing systems, applications, processes, & the physical environment to account for user behaviour
- Developing metrics to measure behaviour change & demonstrate return on investment
“Errors & acts of negligence can cause significant financial & reputational damage to an organisation, with many security incidents & data breaches originating from a human source,” suggested Daniel Norman, Senior Solutions Analyst at the ISF, & writer of this report.
“A human-centred security program helps organisations to understand their people & carefully craft initiatives that are targeted at behaviour change, reducing the number of security incidents related to human error & negligence.”
A successful program uses cross-departmental collaboration to fully ascertain the current state of security behaviour, which then enables organisations to target investment in order to mitigate the identified risks.
Lisa Plaggemier, Chief Strategy Officer at MediaPro, explained that in large organisations, where there are multiple reviews before awareness can go out to employees, there are some specific issues to consider in this regard.
“The security team lets corporate communications or human resources have too much veto power,” she commented.
“I frequently talk to very talented training & awareness professionals that would like to push the envelope & do something creative that gets people’s attention, & their good ideas get shot down or watered down to the point of no longer being engaging.
I know of 1 large company that wanted to move from 1 hour once a year training, to shorter trainings over the course of the year.
This is considered the norm for any mature security awareness program, but even that was shot down by corporate administrative functions (like HR) that have no responsibility for securing the organisation. If the security team is responsible & accountable, we also have to be empowered to run the program.”
Some top pitfalls to avoid, revealed by Plaggemeir, include:
- ‘Letting perfection be the enemy of good.’ It is better to do something, even if it is imperfect, than to do nothing or spend too much time in limbo in corporate reviews & sign offs.
- Under-communicating. Do not assume everyone is reading everything you put out.
- Poor writing and bad design. No one wants to, or many will read long-winded security newsletters in 10-point font without graphics.
“If the ‘brand’ of your security team isn’t to be approachable, helpful & add value, you won’t be included in projects where you really do need a seat at the table,” she observed.
“Your training & awareness program is the most visible thing your security team does, so use it to show that you want to work with the business, not against it, & that you’re friendly & approachable.”