By Perry Carpenter, KnowBe4 Chief Evangelist and Strategy Officer. Let me open by making an observation: the discipline of security awareness training is chock-full of assumptions and misconceptions. As a side-effect, security leaders often feel that their programs are ineffective and that training humans is a lost cause.
But those conclusions couldn’t be further from the truth. What I’ve seen — time and time again — is that training humans isn’t a lost cause; in fact, your people are your last line of defense whenever all other technology-based security layers are circumvented.
So, where’s the disconnect? Well, I’m glad you asked. I think there are five things that many security and IT leaders miss when it comes to security awareness. Let’s take a few moments to explore these. (Oh… I actually released an entire book about how to build effective awareness programs geared to drive secure employee behaviors. If you are interested, check out Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors).
1. The knowledge-intention-behavior gap
Many traditional security awareness programs fail to account for what I call the knowledge-intention-behavior gap. Simply stated, information alone doesn’t lead to behavior change. Information alone doesn’t lead to caring or the intent to act on the information. And even when someone cares and intends to act on the information that they’re received, there is no guarantee that they will act on that information at the moment of behavior.
This gap exists because there are so many things that compete for our attention and behavioral direction at the point of behavior. And so we may act in ways that completely negate our knowledge and/or intentions. If you need to be convinced, just think about the last time you tried to keep a set of New Year's Resolutions. You had things that you knew were important. And you fully intended to act differently based on that knowledge. But it’s very likely that the behavior didn’t follow! I’m not trying to shame you, just to bring-up the reality of the situation.
Out of the knowledge-intention-behavior gap flow three realities of security awareness:
- Just because I’m aware doesn’t mean that I care.
- If you try to work against human nature, you will fail.
- What your employees do is way more important than what they know.
I can guarantee that if your security awareness program adjusts for these realities, you’ll start to see results.
2. Your Content is Your Face and Reputation to your Organization
As a security leader, your content is your brand. Let’s face it — if you are in a large organization, there is no way that you’ll have time to meet everyone and let them get to know you. And so, you will be known and judged by the quality and relatability of the materials that you put in front of your employees.
Your security awareness program materials and methods will greatly influence how the rest of the organization views you and seeks to interact with you and your team. That means that your content and the systems that you put in front of people need to be as good or better than anything else they interact with. If you go with substandard security awareness content, your people will feel that security (by extension) is not important and that you are irrelevant and out-of-touch. But relevant, relatable, and quality content will help build a sense of connectedness and community with your workforce.
3. It is a proven fact that frequent training has a demonstrable benefit to the resilience of your organization.
I’ll call your attention to two great reports. First, my colleague and friend, Javvad Malik, recently took the time to do an analysis of 100 different industry threat intel reports in search of the most common causes of data breaches. His findings are available here, but I’ll cut-to-the-chase: the two most common causes of data breaches are 1) human error/social engineering, and 2) unpatched software.
So, if human error and falling victim to social engineering scams is the number one reason that organizations are breached, then what’s the answer. It’s security awareness training. And the good news is that security awareness training that includes frequent simulated social engineering attacks is a provable method for reducing an employee’s susceptibility to phishing. Don’t believe me? Here’s the data. :)
Security awareness, coupled with simulated phishing attacks at least every 30 days will drastically increase an organization’s resilience to phishing. We’ve consistently seen organizations who’ve never conducted phishing tests begin with a baseline phish-prone percentage of nearly 30%. After 3 months of training, that percentage goes down by about half. And then, after 12 months, that percentage does down to around 2%.
Oh — and by the way — I was just presented with our updated numbers covering roughly 36 million email accounts, and the trends hold true. Stay tuned for a report with the updated data.
4. At all times you are either building strength or allowing atrophy
Security awareness is all about building strength and motor memory. The only way that you can get consistent results that will help stop social engineering and employee error is through frequent and consistent training.
The physical equivalent to this is going to the gym. You don’t get in shape by only excercising once. And, you also know that if you only exercise once per year, or even once per quarter, you aren’t going to see results. The only way to create long term change is to make excercise a part of your lifestyle. This is what traditional security awareness programs get wrong and why organizations that have a check-the-box approach to training get wrong. They implement programs that are the equivalent to going to the gym once per year.
Lasting change requires lasting commitment. If you stop training, you regress. In the same way that if you stop excercising, your muscles begin to atrophy, your people’s awareness and security-related behavior patterns will slide from order to chaos if you aren’t constantly reinforcing the training. That’s the physics of the situation; as with all things, the law of entropy holds.
5. You are probably measuring and reporting the wrong things
Many organizations measure the success of their awareness programs by counting the number of employees who completed training. Or they look at average post-training test scores. Or they count page views for their newsletters, and so on. While these numbers may be interesting in that they are an indicator of engagement and reach, they say nothing about what really matters. Specifically, they don’t measure if the employees have adopted more secure behaviors.
So, how do you measure this? One of the easiest behavior metrics that you can collect is related to the resillance of your employees to phishing attacks. That’s the phish-prone percentage that I mentioned earlier; and it’s important because it is a direct measure of your employee’s likelihood of either becoming the entry point for an attacker or serving as an effective last line of defense.
You can and should also be measuring how many of your people are reporting your simulated attacks and suspected phishing emails. Reporting is a positive security behavior that security leaders should seek to cultivate within their organizations. After all, the security industry mantra for years has been, “See something. Say something.” Having your employees report suspicious emails and activity makes each and every one of your employees a sentry.
Because actions, not knowledge, will determine if your organization will be breached, I’m a big fan of measuring any security-related behavior that I’ve deemed important for my organization. That goes for both digital behaviors and physical behaviors.
On the digital side, your SIEM, DLP, IAM, EPP, and other systems report valuable behavior-related telemetry data. Take advantage of that to get an idea of what your people are doing. That visibility means that you’ll then be able to adapt to those behaviors by providing more education, processes, adopting new technologies, and creating behavioral interventions.
You can also measure security behaviors that are physical. For example, if you want to encourage your employees to consistently use the shredding bins in your office, then you can measure your initial behavioral baseline by weighing your shred bins for a few weeks before you introduce your shredding campaign (pssst… my book is a great resource for how to approach campaigns and behavioral interventions). After that baseline measurement, release your campaign elements and weigh again. Continue to do so as you refine your campaign. That gives you a data-driven pre-campaign and post-campaign report.
Conclusion
And there you go. Five things you may not have fully considered about security awareness training. I hope this was useful for you. I’d love to hear from you. Feel free to connect with me on LinkedIn or follow me on Twitter. Also be sure to check out Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors if you want to take a deep-dive into the art and science behind effective security awareness. Feel free to also join the LinkedIn community that I’m currently building for security awareness leaders. I’ll be previewing some exclusive content to that community in early 2020.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
