A look at how security awareness can be used as a wider strategy to change security behaviour and reduce business risk
Increasing awareness doesn't necessarily decrease risk
In over a decade of running penetration testing, red-teams and social engineering engagements against organisations of all sizes and sectors I’ve found three universal truths:
- If given enough time on a red-team, pentesters will always find a way to get an end-user to give them a foothold inside the organisation.
- With organisations that run security awareness training there’s typically no difference in the time or effort required.
- Where organisations have actively focussed on improving security behaviour, instead of just raising awareness, things take a lot more time. Users don’t give away as much helpful information, their passwords aren’t re-used anywhere near as much and they report social engineering attacks as fast as we can create them. Eventually we’ll get in, but in the real-world an attacker would likely move on to an easier target.
Those truths can be distilled into something I suspect most security experts would agree with - security awareness training alone doesn’t reduce risk from real-world cyber attacks, but improving behaviour will increase the effort required from an attacker to the point most will give up and move on to an easier target. For most organisations, this is the difference between becoming the victim of ransomware or not.
Security awareness vs behaviour vs culture
Recently, the phrases security awareness, behaviour and culture (sometimes referred to as ABC) have started to be used interchangeably. It’s important to understand the difference between them:
- Security Awareness: Does someone know about a cyber threat, the severity of it and the best practice to mitigate it?
- Security Behaviour: In the real-world, does someone perform actions that create a risk? Or reduce it? Clicking on a link in a phishing email or setting a short password are good examples of security behaviours.
- Security Culture: Across an organisation, what risks are your people creating or reducing?
The goal of any security education programme should be to reduce organisational risk from cyber attacks by improving security behaviours. Simply setting out to ‘Raise awareness’ isn’t likely to stop you becoming the victim from Ransomware, or any other cyber attack.
Behaviour science primer for cyber security
From a behaviour science perspective there are many factors that influence any given behaviour. Broadly speaking, these factors fit into 4 categories – with awareness only one part of the picture. We call these factors ‘behavioural determinants’:
- Capability: Is it easy for the employee to behave securely? Are there technical controls, policies and processes in place to support secure behaviour?
- Awareness: Is the employee aware of the threat, the severity and best practice to mitigate it?
- Attitude & Intentions: Does the employee perceive the threat likely to occur, do they believe the severity of it, do they feel that their peers also care about this threat, do they believe that them behaving securely is easy enough and will be effective at minimising the threat?
- Cognitive Process: How does the employee think when the threat occurs? Do they act unconsciously (Known as ‘System 1’ behaviour) or consciously (‘System 2’)?
The behavioural determinants above can be applied to any cyber security behaviour, but the answers to each may be different from person to person and behaviour to behaviour. The more behavioural determinants that are addressed, the greater the resultant improvement in behaviour and thus the larger the reduction in organisational risk.
Where to start with improving security behaviours?
For most businesses, it’s best to start simple and focus on improving the security behaviours that create the biggest risks to your organisation. You can expand and build on your programme over time.
Name your programme
Forget ‘Security awareness programme’, you’re not just trying to raise awareness. Calling your programme a ‘Security behaviour’ or ‘Security culture’ programme will help focus everyone on the objective. ‘Security culture programme’ typically feels the most inclusive and supportive.
Identify your risks
Start by identifying the two or three biggest cyber security risks to your organisation. These could be ‘Email Phishing’, ‘Ransomware’, ‘Credential Stuffing’ or any other risk.
Break down risks into the security behaviours that cause them
Take each of the risks you identified and map out a set of user behaviours that cause them. If your risk was ‘Email Phishing’ for example, your behaviours could include ‘Clicking on links in phishing emails’ and ‘Running dangerous attachments’. Don’t forget to include positive behaviours too, such as ‘Reporting phishing emails to IT’.
Measure those security behaviours
Implement ways to measure each of the security behaviours you’ve identified for your key risks. Consider running simulated phishing attacks, password audits and look at whether any of the apps or infrastructure you already have is producing data you can use to help you measure your security behaviours.
Some widely popular tools to measure security behaviours include:
It’s important to look at not just collecting data that measures how users are behaving, but also which of the behavioural determinants are causing that behaviour. If a user falls for a simulated phish, you could ask them a series of questions to try to identify why. If a user sets a weak password, you could drop them a quick automated question over Slack/Teams/Lync/Email to get their view. If you really want to get into the data, inference can be a powerful tool too – if ‘Employee A’ actively reports phishing attacks and generally shows good security behaviour, but then sets a weak password, you can infer the root cause is likely capability or awareness vs attitude.
Track & Improve
Review your measurements regularly, and identify which security behaviours you need to focus your efforts on improving. To start, look for single actions that you can perform across the entire organisation to improve the worst performing behaviours – such as deploying an awareness training module on a specific topic. If you don’t already have any security awareness training in place, deploy a range of training modules covering all of the key risks to your organisation before trying to mature your security culture programme.
As you look to mature your security culture programme, look at playbooks to automatically deliver education, messages and nudges to individual employees when they perform a risky behaviour. As an example, if someone logs into Slack using an out of date mobile device, you’ll be able to see it in Slacks’ access logs and trigger a quick Slack message to be sent to the user to ask them to update their device. At the most mature level, these pieces of education, comms and nudges should be tailored specifically to the individual based on the behavioural determinants you’ve identified and measured.
By taking steps to implement a security culture programme that’s focused on improving behaviours, you can help your organisation move beyond just ‘raising awareness’ to actually reducing risk. Building a mature programme can take time, often years, but treat it as a continuous, iterative process and you’ll start seeing results in weeks.
CultureAI's, NCSC Certified Training Course 'Security Awareness Training' provides IT, Cyber Security & Security Awareness Professionals with the fundamental knowledge they need to design, implement and manage effective cyber awareness and security culture programmes.