Most security awareness training gets filed away and forgotten. Here’s what we think works. //31.08.18
ThinkCyber is part of the first LORCA cohort. Its RedFlags™ security awareness software applies behavioural and learning science to “nudge” users towards secure behavioural change. Here, director Tim Ward makes the case for empowering your people with better training.
People are often described as being the weakest link in cybersecurity defence. But here at ThinkCyber we believe that people can (and should) be turned into one of the strongest.
There’s certainly enough data supporting the argument that people’s lack of cyber awareness is at the heart of many breaches. For example, in 2017 IBM found that two thirds of recorded cyber attacks resulted from accidental or inadvertent user activities, while data from insurance brokers Willis Towers Watson has shown that approximately 90% of all cyber insurance claims are the result of some type of human error or behaviour.
That’s not to say other methods are less important. But good security is about a layering of defences – and people are a critical defensive layer.
Sadly, many organisations still don’t understand the importance of training their staff effectively. UK government research last year found that only 20% of UK organisations provide cyber awareness training. Of those that do, the majority continue to rely on annual learning focussed on fulfilling compliance requirements. What we’ve seen is that when people do receive training, it’s often passive, complex and far too infrequent. This means it’s quickly forgotten – so it’s no surprise that an ISF study showed that only 15% of users trained in this way actually change their behaviour.
What good training looks like
When it comes to beefing up cyber defences on a human level, our approach is to get to the heart of what motivates people and deliver training that’s easy to understand and put into practice. Employees aren’t cyber experts, and they don’t need to be to respond to a threat effectively.
For example, spacing is an approach to training where people learn over a longer period of time rather than during a one-off, annual course. The benefits of this are well known: learning points are refreshed, repeated and reinforced over time, allowing staff to absorb more and retain information for longer.
It’s also important to recognise that, as behavioural science has shown, people aren’t purely rational beings and there are complex factors at play influencing how they respond to threats. This was the subject of a project we worked on recently, which was supported by Innovate UK. We looked at applying a theory called the Protection Motivation Theory, which suggests that we make two assessments when faced with a threat. First, we weigh up how severe it is and how vulnerable we are to it. Secondly, we assess our capacity to respond effectively (and also the cost to us of making that response). Knowing this, ThinkCyber always recommends companies provide just enough threat information – while making sure their coping guidance is actionable and simple.
Similarly, we prefer nudging people (delivering the right message, to the right user, at the right time in response to their behaviour) into becoming more vigilant rather than scaring them with quarterly spot checks. While sporadic tests (like phishing tests, for example) might be aimed at uncovering teachable moments, the result is often that staff feel tricked or embarrassed. And that’s hardly conducive to creating a workforce empowered to put what they’ve learned into action.
Too often organisations look solely to technology to overcome human error while they continue deploying training that’s clearly not working. Instead, why not deliver better training – training that takes what makes people tick into account.