Shift from security awareness to improving behaviour and culture

Phishing remains the primary mode of attack, but several other human activities contribute to a significant number of all data breaches, from system misconfiguration and data misuse or mis-delivery to weak credentials. These are all avoidable behaviours that must also be addressed.

As employee generational demographics shift, digital aptitude and cyber literacy levels will continue to increase across the organisation, as will overall awareness of the omnipresence of cyber threats. Security awareness training focused merely on how to spot cyber threats, or on expected anti-phishing behaviours, can quickly become stale. Even worse, it fails to prepare technologists, both in IT and in the business, to make effective cyber security decisions.

These problems are especially critical if the security awareness training content remains static and isn’t relevant or in some way contextualised to the individual learner. Also, if it’s delivered via a non-preferred medium, or can’t be consumed at a time, location, via an application, or on a device of the employee’s choice.

When employee engagement in the program diminishes, the potential for cyber security failure increases. As business technologists make increasingly significant decisions about digital activity, they need to be empowered to make better decisions about security – a skill that Gartner refers to as cyber judgement.

Progressive security and risk management leaders are now moving beyond legacy security awareness programs by investing heavily in holistic security behaviour and culture change programs. These programs are more akin to a classical marketing campaign than an old-school, compliance-centric security awareness campaign.

Gartner predicts that 40 per cent of cyber security programs will deploy socio-behavioural principles (such as nudge techniques) by 2025 to influence security culture across the organisation, up from less than 5 per cent in 2021.

Executing a security behaviour and culture program to reduce human-born cyber risk levels requires a major shift, where the objective extends beyond merely raising awareness of cyber threats. It focuses on fostering new ways of thinking and embedding new behaviour, to provoke new, more secure ways of working across the organisation.

Wanted: Behavioural scientists and marketers

VIEW ALL

Establishing and executing a security behaviour and culture program requires an approach analogous to a multichannel, user-centric, marketing and organisational change management program.

This will require access to new skills and competencies that traditionally aren’t a feature of the cyber security practitioner’s knowledge domain. This ranges from marketing and public relations skills, through to knowledge of psychology and sociology, human-centric design techniques such as design thinking, and organisational change management frameworks and practices.

A holistic security behaviour and culture program will also help reduce human-born vulnerabilities in the organisation’s digital supply chain. This is done by focusing on “shifting left” security awareness and embedding secure engineering capabilities and practices into infrastructure and operations teams.

Executing a security behaviour and culture program may also result in technology and architectural implications because it will require a more platform-centric, integration-enabled solution stack that leverages multiple vendors to deliver the capabilities and data required.

How to get started

Develop and promulgate a cyber security culture change that equips all users of digital systems with cyber judgement skills and a passion for applying these, rather than just cyber security awareness.

Investigate the use of organisational change management best practices and social science principles such as culture hacks.

Senior leadership plays an important role in promoting employee education and behaviour change to combat cyber threats. Collaborate with them to ensure that everyone functioning as a business technologist is regularly involved with culture-changing activities and has access to training.

Adopt a platform-centric approach with cyber security training vendors that can provide innovative features such as contextualised training material, in-the-moment nudges, gamification, real-world phishing simulations and outcome-driven metrics.

Richard Addiscott is a senior research director at Gartner. He works with information and cyber security leaders on improving security risk management maturity and outcomes, optimising organisational security risk postures, and demonstrating clear links between security and business outcomes.