Rewiring the Brain for Cyber Awareness Behaviour Change
Date: 23 January 2020
Many organisations and security teams find it easy to blame the human factor in the security value chain. It’s become quite acceptable to say that humans are the weakest line of defence when it comes to organisational threats. But is this fair? Are human employees being given the kind of training they deserve in an ever-evolving and increasingly complex digital ecosystem?
Titled ‘Rewiring the Brain for Cyber Awareness Behaviour Change’, this Webinar by Cyber Management Alliance and Axelos, seeks to understand exactly how that can be done. Amar Singh - Founder & CEO of Cyber Management Alliance, Nick Wilding – General Manager, Cyber Resilience, AXELOS Global Best Practice and Head of RESILIA Frontline and Professor Lizzie Coles-Kemp, Professor of Information Security, Royal Holloway, University of London, get together to unravel how effective and creative solutions can be designed to really mitigate ‘human error’.
The trio believe that the reason for low levels of confidence and awareness for security situations amongst human employees is a result of the lackadaisical, oft-repetitive and uninspiring training that they’re provided. Here are some of the critical points that this webinar highlights:
- People make mistakes because they don’t have the awareness or the right training.
- The vast majority of human employees are trying to do their jobs effectively and do the right thing in case of a security incident.
- 80% of organisations in the UK don’t do any security training at all.
- Those that do conduct training, end up relying on one standard approach, whether it works or not.
- Just doing one-off training sessions to check off a compliance box never works.
- Training has to be focused on altering human behaviour and making good security practice second nature.
Known to call a spade a spade, Amar deep dives and admits that the binary approach to training – making it too complex or too simplified – and the over-reliance on PowerPoint does nothing except make the training sessions boring with little value for the human resource.
Nick corroborates this view - many organisations aren’t doing training at all and those that are, aren’t putting in any effort to ensure that it’s engaging. It’s not collaborative, it’s not creative and, therefore, it has no real impact on the behaviour of people. It simply doesn’t give employees the confidence that they’ll be able to do the right thing in case of a security incident. In a gist – people go through the training because they have to and without really gaining much, they just go back to doing their day-to-day jobs.
Professor Lizzie, who has worked on multiple training sessions with a variety of organisations, insists that humans are, in fact, the strongest link in the security ecosystem. They are the most important line of defence. However, they have to be helped to engage with the digital environment and to be able to see the natural resilience points – something that traditional training sessions simply don’t focus on.
People are always interested in the benefits that they can derive out of technology and its associated systems. When new systems are put into place, the implications of change for people are not well-understood. They disturb the ways in which people secure their every day, the way they behave at work, share and handle information. A part of all awareness training programmes should seek to understand the challenges that people face at work.
If we don’t think about training and awareness in this way, there are a number of problems that will occur. People will seek out ways to navigate the digital world. If systems don’t address security issues that are important, people will spend time trying to circumnavigate some of the controls in the system. Then there are people who will try to completely move away from that system and set up a parallel system. This stresses upon the need to connect people back into the system through security training but also support their security training practices.
Nick then shares some insights about workshops that Axelos has piloted with Royal Holloway University. Some of these workshops involved employees and security teams coming together to discuss the challenges they face in their day-to-day jobs while abiding by the security controls that have been thrust upon them. Security team members listened very patiently, and everyone worked collaboratively together to figure out ways in which security could be taken care of without disrupting the day-to-day work of employees. The idea was to then focus on the collective issues that emerged from the workshop and find solutions to them that could work for everybody.
This information brings about the next round of discussion on how the approach to training can actually change. Nick offers a snapshot of the work that they do and the content they deliver at RESILIA. They have multi-formats of learning: because different people learn in different ways. They offer e-learning solutions with tests, videos, animations, scenarios, PDFs, audio stories, and even a phishing game. They try to always use a different look and feel so that the training remains engaging.
The idea, concur Amar, Nick and Professor Lizzie is to make behaviours instinctive – a bit like driving a car. All three of them express their excitement over the fact that really fresh and exciting approaches are finally being adopted in cybersecurity awareness training. They also emphasise on the power of story-telling and of putting the victim in the shoes of the attacker to better understand the latter’s psyche.
Amar rounds up the discussion by reiterating that habit change takes time and the creators of training modules need to appreciate that. One size does not fit all when it comes to something as tricky and complex as security awareness and response. There needs to be a shift from the over-abuse of the world ‘culture’ in the security scenario and organisations need to start taking a multi-faceted approach to habit change. You simply have to build trust and communications and you have to show employees that you’re genuinely interested in helping them become more effective and secure.
Listen to the full webinar here.
Check out Cyber Management Alliance’s BrightTALK channel here.
Cyber Management Alliance is a team of global experts in cyber crisis management. We offer internal workshops to organisations across the globe from all sectors including Government, Banking and Financial, Healthcare, Insurance, Retail and many more. Our flagship course is the GCHQ-Certified Cyber Incident Planning and Response workshop. We also deliver internal and public courses on Building and Optimising Actionable Incident Response Playbooks. Cyber Management Alliance recently launched a special programme catering to busy board and C-level business executives. The EBAS Executive Briefings are non-technical and focus on business risks in a complex cybersecurity landscape.