Security Awareness Is Dead. Long Live Security Awareness

Our actions determine outcomes, not our thoughts, our knowledge, or our intentions.

Everyone working in cybersecurity knows that and is all too familiar with statistics like “more than 70% of cyber incidents are facilitated by human action” (in some reports, even up to 95%).

Seemingly, security awareness is all about educating people about the dangers that be, but it does not cut to the chase of actually training people to do the right thing. The reality is, organizations with strong cybersecurity postures have recognized this difference and work with security awareness training providers to raise awareness, foster behavior, and shape culture, the ABCs of security awareness training.

Security Awareness by Any Other Name

Yes, our industry has a naming problem, and we have known that for a while. So, why do I bring this up now? Because of many interesting conversations at the Gartner Security & Risk Management Summit 2023 in London this week. Let me elaborate.

In an eye-opening keynote, Gartner’s very own Christopher Mixter and Jie Zhang debunked four myths of cybersecurity. Their fourth myth called “more control = better protection” suggested that organizations burn 5-10% of their security budgets by investing it into security awareness training. But what did they mean by that?

A few observations illustrate the point. According to Gartner research, 69% of employees intentionally bypassed cybersecurity guidance in the last 12 months, and 93% of employees who engage in insecure behaviors are aware of what they are doing. But, because time is of the essence and convenience trumps, they circumvent security policies. Meaning that they behave insecurely, knowing fully well that they are behaving insecurely. Awareness does not work, one must conclude.

Narrowing the Intention-Behavior Gap

We have known this for years, of course. If behaving securely is too hard, people probably will not do it. The intention-behavior gap is well known. That is why we frequently say that any good security awareness program must be built on three fundamental truths about humans:

Just because we are aware does not mean that we care
If you try to work against human nature, you will fail
What your employees do is way more important than what they know

Security awareness professionals must take this into consideration. This is why Mixter and Zhang suggest applying basic user experience principles when designing your human-centered security program, communicating with employees to find out where friction dominates. The most secure action must also be the easiest action. They call this “minimum effective friction” – a minimum discount on user experience to entice the desired action and outcome.

Focusing on Behavior Change

At KnowBe4, we use the works of behavioral economists Daniel Kahneman and BJ Fogg to guide our efforts, as our CEO recently explained in a blog post. BJ Fogg explains action is the outcome of motivation, ability, and a trigger. If things are too difficult or there is a lack of motivation, we can hardly expect action.

But there is a continuum where adequate motivation meets with a task that is easy enough to execute and an appropriate trigger is available. For example, employees might be triggered by spotting a red flag in a phishing email, but if reporting the email is too difficult, or there is a lack of a cybersecurity mindset across the organization, in all likelihood, emails will not be reported to the information security team.

So, is awareness dead? Well, not quite. We need it as a trigger in many situations, but we also must build products that embrace the most secure action as the easiest, and we must shape a security culture that instills values and norms of proactive engagement with cybersecurity. In other words, an organization’s workforce is equipped with the right knowledge (awareness) and abilities (behavior) to spot and report phishing emails.

In a nutshell, the cybersecurity posture of your organization depends on the actions of your employees. With the right tools and an approach that sets center-stage human behavior and security culture, organizations turn their workforce into active defenders. This extends beyond phishing and encompasses other behaviors such as secure document disposal, downloading authorized software only, and using approved tools for file transfers only, to name a few.

Awareness, behavior, and culture remain key pillars of any program aiming to reduce human risk by winning hearts and minds to influence secure behavior.

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

The Security Culture How-to Guide

Improving the security culture of your organization can seem daunting. This how-to guide will walk you through how to build a step-by-step plan, helping you understand the fundamentals of security culture and what you can do to move the culture needle in your organization.