By Steve Durbin, Chief Executive, Information Security Forum
Organizations have long implemented security awareness training programs in an effort to protect against data breaches. These programs are often designed with a one-size-fits-all approach, focused on compliance, and rarely result in sustained changes to security behavior. As a result, the number of data breaches due to human error continues to rise, with 90% of breaches being attributed to human error, according to the Information Commissioner’s Office in the UK. This highlights the need for a reassessment of how we teach individuals about security.
The current approach to security training is not enough and a human-centered security program must be implemented instead. This approach takes into consideration roles, psychological processes, attitudes, and communication methods. Changing behavior in the long term is a complex task and requires careful planning and an interdisciplinary strategy that caters to specific roles and is backed by solid metrics that demonstrate a return on investment.
The first step in developing a human-center security program is to establish a behavioral baseline. This is achieved by pulling in rich datasets and performing statistical analysis on historic risk assessments, data loss prevention, and user behavior analytics. By breaking down the data by role, department, location, and across the entire organization, it is possible to understand how employees are currently behaving and why. Qualitative information can be gathered through focus groups, observation, and examination of policy and systems. This information provides valuable insight into patterns of behavior and reveals weaknesses in the current approach to education, training, and awareness.
Tailored content and emotional engagement are critical components of a successful security program. Traditional ‘blanket’ training is ineffective, and a far better approach is to create role-based security training programs that are tailored to each employee’s specific role and the threats they face. Training should also engage people on an emotional level, through gamification, rewards, and public praise. Regularity is crucial, and security awareness, training, and education should be delivered in short bursts and at frequent intervals, using various mediums to accommodate different learning preferences.
Security can also be encouraged through design, by redesigning the digital infrastructure, user experience, and interfaces to guide individuals towards secure behavior. This includes making it easy to manage threats and report incidents, as well as redesigning the physical environment to foster secure behavior. Desired behavior can also be encouraged through nudges and reminders in public areas and apps that prompt people to complete training modules.
Measuring success is key, and metrics should be developed to assess the impact of the human-center security program. The impact on individual behavior should be examined, including changes in motivation, proficiency, and attitudes. Financial savings should also be calculated through a reduction in incidents, compared to the cost of the program. A human-center security program is the smart investment that organizations can make to ensure a secure future.
About the Author
Steve Durbin is Chief Executive of the Information Security Forum, an independent, not-for-profit association dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000. Find out more at www.securityforum.org.