When it comes to user awareness about cybersecurity health, I question common thinking about best practices. Companies try to teach people about cybersecurity so that they can make better decisions. This approach has three flaws:
- Not everyone is meant to be a cybersecurity student. No matter how many “art awareness” classes you might teach me, I’d still hate museums and pay no attention if you forced me to attend an art show. Security is a side effect of getting a job done, and we have to acknowledge not everyone cares about it as much as we do (or even as much as they should).
- You can only educate the people you “control” but everyone touching your systems exposes your company to risk. Sure, you can get a security score for your partners… but can you be sure that the people you’re working with at that partner are protecting your systems with their behavior? What about customers? They browse your website, login, and bring all sorts of threats. You can’t give them access to your LMS to take “phishing 101.” You’re probably not sending them emails to test their course material comprehension. Besides, even if you were, what would you do to enforce proper cybersecurity hygiene? They’ll just go shop somewhere else.
- Current user-enforcment puts all the burden on users, equally for all threats, and then punishes people collectively. If I use a different password for every site (because I use a password manager) and have an unguessable 16 digital mashup of nonsense as a password, I get treated the same as the person who uses [email protected] as their password at every site on the internet. This really makes for an us-versus-them vibe and doesn’t get people working together with IT to minimize cyber risk.
Companies are trying to teach people (users) healthy cybersecurity habits; they’re trying to impact behavior. Not in any one large way, but through lots of different habits each that helps them make better decision in the moment.
Companies will send fake phishing emails as a way to test employee habits. Outside of these emails, which represent just one type of threat, testing user behvior is somewhat limited. Most companies are satisfied with educating users and testing comprehension as a proxy for changing behavior.
Educating users is important, but if you want to change behavior wouldn’t it be better to monitor and report on behavior rather than on test scores?
On Habit Formation
Credit scores are funny things. They’re this mysterious number that’s supposed to indicate an individual’s credit worthiness. Talking to banks though, they believe that credit scores were a failure because they didn’t get people to make better decisions. They didn’t get people to change their behavior.
Well, no kidding.
Can you explain how a credit score is calculated? I’ve heard that having no credit card balance hurts your score. I’ve also heard that having no credit card balance helps your score. And so on. There are two things that habit science tells us is important to creating habits that are missing from the idea that credit scoring will help consumers make better financial decisions:
- Clarity on how healthy financial habits impact credit scores
- A reward for “doing the right thing”
Hold on. I just dropped a key phrase without explaining it. Habit science.
There’s a science to creating habits that good marketing companies (like P&G for example) understand and use in order to create habits around their products. It’s call the habit loop, and depends on there being a cue (or a trigger for the habit), the habit itself, and the reward that results from the habit.
Simply put clarity on behavior (what is expected) and a tight relationship between the habit and the associated reward, ensures that people don’t have to put too much thought into the right habit, and are rewarded as a result of the “right behavior.”
Both of these things are missing from credit scoring.
And, more improtantly to us, both are missing from user awareness programs.
We are not making it clear to people, at the moment of the decision, what behavior is desired. And, there’s definitely no reward or even an understanding of how making the right decision helps the organization (which I believe users are willing to do if we make it easy for them to do so).
5 Criteria your User Awareness Programs Should Incorporate to Lower Your Risk
- Real time vulnerability data informs user choices, so that their decisions are the best possible ones to make in the moment. This gives users clarity in their behvior, and clarity will help people feel like they’re on the same team as the security staff.
- Prioritize awareness efforts based on threat severity and relevance, so that security teams can maximize their effectiveness by training people in the threats that have the most risk at that time.
- Map user security friction to individualized threat minimization. People don’t mind helping, even if it means extra work. However, extra work “just in case” is kinda hard to swallow and at best is using up some good will. When a user is told, in clear language, why what they are doing raises their threat level, they’re more willing undertake the burden of extra security precaution to help the organization.
- Include external users because everyone can expose you to a cyber threat, not just your employees. External user awareness is hard — you don’t control their machine, you have to be very sensitive for their time as they’re often customers or business partners, and the scale of tracking millions of users is, to say the least, a daunting problem.
- Use AI to drive threat assessment to start to prepare your users for tomorrow’s attacks. When 38% of breaches go undetected, it should be clear that we don’t even understand the threats organizations face. We have to start being smarter about how we recognize threats, so that we can prepare people for the long term cyber security war that’s happening.
A Real-Time Security Coach
We (Cymatic Security) have developed an innovative chatbot that acts a real-time security coach. It’s implemented as simply as Google Analytics so can assist the users you control and the ones you don’t. It’s customizable for IT to surface only the necessary and relevant threats. IT also have have granular control over how threats are presented so as not to overwhelm users with alerts and those that are exposed are done so clearly and with explicit relevance to the user’s behavior in that moment.
Should you wish, it also enables security officers to mitigate threats so that along with educating users you’re minimizing your long term cyber risk threat landscape.