The Awareness Journey: Embedding a Sustainable Security Culture
December 12, 2022 | By: Stephen Boals
The Foundations of a Superior Security Behavior and Culture Program (SBCP)
The winds of change have hit cybersecurity, and it’s been interesting to see the talk track shift from a notion of rote security awareness training to building and sustaining deeper security culture across an entire organization. Recently, Gartner is seeing that change happen rapidly:
“Security awareness computer-based training services offer a stable set of core capabilities yet risky employee behavior persists. New, emerging capabilities apply behavioral science principles, data analytics and automation to help cybersecurity leaders reduce risk via measurable culture change.”
Organizations are starting to realize that cyber defense resiliency must refocus efforts to achieve quantifiable risk reduction. When it comes to humans this requires a step beyond basic, once a year generic awareness training – that all too frequent compliance “check in the box”. Instead, it requires a whole new paradigm of continuously laddered education that instills new security habits that leverages user knowledge and intention to bolster security defenses to reduce both the risk and cost of a potential breach – once and for all reinforcing the critical notion of humans as our security solution instead of our security problem.
“Awareness” is Dead
To accomplish this, we must rid ourselves of this notion of “awareness” and banish the term “security awareness training”. It belongs there along with “Y2K”, right? What does awareness even mean? I am aware that when I am hiking the Sierra Nevada mountains that there are bears, and if I walk between a mother and her cubs I will get attacked. That awareness doesn’t help me in the moment. It does nothing to help me alter my behavior, to stop and identify the signs of bears, or what to do (or not do) in the event of an actual encounter. What if I encounter a wolf? Or a rattle snake? All things I might encounter during my day on the trail.
If we look at the latest industry reports concerning cybersecurity attacks globally, even when 100% of end-users are certified “aware”, 79% of organizations still report at least one successful phishing attack, and 40% at least one successful ransomware attack. And more than 80%+ of those attacks have some human factor attached to them. And those are only the ones that are reported as opposed to contained quietly. The threat landscape is changing so rapidly that we can never make our users totally “aware” of the content of all new attacks without subjecting them to information overload. So, what can we do instead that actually works better?
Mindfulness and Culture
When we examine all the varieties of exploiting human weakness and vulnerability to penetrate our multiple lines of defense, there is a better way to defend yourself in today’s hostile cyber environment: change individual behavior to improve organizational risk outcomes. To change behavior, a periodic, content-centric approach will fall short. Behavior change requires a continuous, methodical approach based on behavioral science principles that can predict change and create measurable incremental behavioral improvements and remediation as appropriate (you can read about our patented approach here: cyberconIQ’s Patented Human Defense Platform & Methods). This leads to a marked change in individual response to human-focused attacks (phishing, spear phishing, vishing, smishing), and creates a sense of mindfulness that overcomes instinctive vulnerability. The focus of this intervention is not on threat content but on context, providing protection beyond known attack methods to raise the individual’s overall ability to recognize novel attacks and to avoid falling prey to zero-day attacks.
While this new shared foundation of confidence to avoid threats by becoming more personally aware of one’s own individual’s risk style and its vulnerabilities is a great start to cyber security culture building, there are a number of linked initiatives required to encourage this new cyber security culture at scale. Here are some of them:
- Key metrics to define human cyber cultural growth and measure risk reduction
- Training of management on the basics of security behavior and risk styles of employees
- Link the handling of security incidents and phish simulation failures to real remediation
- Integrate security behavior training and outcomes to performance management efforts
This list is not exhaustive; but it does provide a great start to having the Security Behavior and Culture Program permeate the organization and become a part of day-to-day operations, as Gartner and others have noted as essential. Our Human Defense Platform can help kickoff your security culture buildout and help you move away from the old (generic awareness) to the new (behaviorally-based) outcomes focused on measurable security risk reductions.
You can learn more in a short webinar here: 5 Steps to Lower Human Cyber Risk.