I am a strong believer that understanding cybersecurity as part of an organization-wide process is of the utmost importance. Cybersecurity awareness professionals are critically aware that to improve the security posture of an organization, one must involve many stakeholders, e.g., management, HR, IT, legal and compliance.
Higher education is making important strides in improving cybersecurity readiness, but much is yet to be done (as I mentioned in a recent blog post).
A recently published paper by the University of Edinburgh offers insights into how security awareness is managed at higher education institutions. It provides rich insights and a great opportunity to discuss important concepts for building a sustainable security culture. The authors analyze 270 help desk phishing tickets collected over the course of nine months to understand how users engage with phishing emails, and crucially, when and how they report them.
Building Habits of Reporting
The study reveals the use of reporting channels to engage with the security team. Employees provide evidence and observations, sometimes even elaborating on potential impacts. Some take a report as a knowledge test, stating why they think reporting is important.
Both engagement and communication are essential elements of a well-rounded awareness program. Security awareness professionals must always keep communication channels open to engage with users. The reports show a great interest and desire to provide the information security team with data that serves as evidence of a growing security culture.
Shaping a Culture of Learning
The research and theory behind the concept of self-efficacy tells us that a positive learning environment is crucial to motivating and facilitating behavior. Establishing a culture of practicing, failing, and learning is a key element to continuous improvement. Without it, fear and doubt might dominate an emotional landscape that leads to in-action, a lack of engagement, and, worst case, to working around security policies and tools.
This is evident in the participants' behavior reported in the paper. Employees do not want to be seen as paranoid and tailor their language when reporting emails accordingly – worst-case users might avoid reporting altogether. To foster a positive environment, employees should be encouraged through feedback and reports. Positive feedback increases self-efficacy. Mechanisms to provide positive feedback must be integrated within reporting processes.
Providing Contextual and Timely Feedback
Another critical point raised by the researchers is the efficacy of phishing simulations. If not implemented thoughtfully, the lack of contextual feedback can hinder rather than help to build self-efficacy. When failing a test, it must be revealed to employees which red flags and other signs they have missed.
Equally, when a phishing simulation is reported correctly, there should be a mechanism that provides users with feedback on whether they have spotted all red flags and understood their significance. This is crucial, as the authors remark, also to leverage an employee's unique contextual understanding of their inbox, i.e., the knowledge of when to expect which email by whom and in what style.
The researchers make further suggestions that are essential to facilitate learning. Phishing simulations should encourage user reporting to foster a culture of engagement. This goes along with an IT security team’s ability to process a large amount of reported phishing emails that are malicious and simulated. Thousands of emails must be processed per day.
Chances for Computer-Based Security Awareness Training
These key insights provide thoughtful recommendations to improve security awareness programs.
- Encouraging phishing reporting – Reporting a phish is a learning opportunity. Organizations ought to use reports as a conversation starter, providing feedback and advice. Users should not hesitate to report any email. Tools allow information security teams to stay on top of thousands of reported suspicious emails by leveraging Machine Learning and automation. The flood of alleged and real phishing emails will not be a challenge for the information security team. Of course, it would be great to share intelligence gathered this way with a larger number of customers.
- Increase engagement and trust through individual reporting – Chatbots are one method to increase individualized interaction at scale. Organizations increase trust in their security by providing individualized feedback and avoiding judgmental language. Large-Language-Models and other AI tools and techniques can help provide personalized interactions, but also make reports more digestible.
- Reassuring users – At the very least, users must get confirmation that their report was successful. Ideally, this would involve a brief, personalized interaction such that open questions could be addressed. A more interactive communication is a possible next step, one that also allows users to talk openly and freely about their observations.
The Need for Emotional Safety and Empathy
Organizations do well in positioning trust, transparency and accountability as the north stars of their security awareness programs. These create an environment in which people can exercise compassion towards themselves and towards others. Moments of introspection and reflection help understand one’s own biases and triggers, and contribute to increasing the security posture of an organization.
The researchers found that an emotional component of their security awareness program was lacking. They identified a need for emotional safety and empathy to create a safe space for learning and development. Where this is lacking, users are particularly vulnerable to deceptions and exploits of attackers, which play into emotional insecurity.
I couldn't agree more. We frequently observe that environments in which employees actively and openly discuss issues of social engineering and phishing are less vulnerable to cybersecurity threats. A good security culture is also characterized by an environment in which people can find help to reflect on their motivations behind clicking on a link in a phishing email or downloading a malicious attachment.
Proactive engagement with security awareness programs is a sign of a good security culture, and this culture is necessary to sustain efforts in reducing the risk of human behavior that becomes part of a successful cyber attack.
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.