5 Good, Bad, and Truly Surprising Results of Talking Security

essidsolutions

Despite a rising number of attacks, cybersecurity awareness training continues to be a thorny spot. Over 50% of users say they have “better things to do” than attend mandatory training from their employers. For others, training sessions are either too long (45%) or boring (44%). So, it shouldn’t come as a surprise that basic, primitive attack types still run rampant in most enterprise landscapes. 

Nearly three in 10 employees are certain they have clicked on a phishing link recently – and that’s not even counting those who shy away from admitting it. 

We wanted to find out how security awareness training plays out in the real world, how users respond, and what holds them back from treating cybersecurity with the urgency it deserves. Here are the five trends that emerged and a few telling insights CISO/IT training stakeholders must remember on the way forward.

Learn More: 5 Ways to Get Users Thinking About Cybersecurity 

The Bad

Let us start with the proverbial bad news. There are three ways users typically dilute the impact of cybersecurity training, even when they receive it, making exploitation much easier for hackers.

1. The human tendency is to “write it down”

The impact of security controls like passwords, VPN, multi-factor authentication (MFA), etc. gets diluted when users resort to analog memory aids. This is directly proportional to a user’s digital literacy and comfort level when using digital tools. At the recent SpiceWorld Virtual 20202, Richard J Eid, director of technology at Woodlands Retirement Community, spoke about facing this issue when training users. 

While IT personnel or those in technical roles are easier to persuade, “writing it down” is a popular habit among end-users. 

“If you’re like me at my company (if you have a domain or administrative access), you have to have at least a 12-char password with upper and lower-case letters, numbers, and symbols changed every 90 days without recycling the last five. We beat this into our technicians’ head,” he said. He also mentioned that end-users were a better fit for pass-phrase training, but here’s where the problem cropped up. 

“With end-users, I would do training on how to use numbers as letters to make a word or a phrase they can remember. But the minute a user gets a good password, the first thing they would do is write it down. It is our job to make them not do that,” he said.

Eid’s advice? “Interject jokes, stories that matter, props, costumes – anything you can use to make training more engaging or memorable, do it.” 

2. Vulnerable groups tend to transfer responsibility

Privileged users are among the most vulnerable groups in any enterprise, and they form a surprisingly large vector. Nearly one in five senior managers are “neverOpens a new window ” updated on cybersecurity actions, and even if they are, ownership is a major problem. 

“Most of the senior leadership I have met mistakenly believe that cybersecurity is about others. They themselves are least motivated to keep up with their password change schedules and device patches due to work or travel exegesis. Unfortunately, this community is very vulnerable, and they need to be protected and disciplined first among all users,” said Arvind Mehrotra, risk and technology advisor to Birlasoft and strategic advisor to CloudFX.

Leaders, senior managers, and other privileged users are more vulnerable than other employees, given their level of access. To stave off targeted attacks like whaling, Mehrotra suggests a strict policy of ownership and accountability. 

“A clearly stated zero-tolerance policy for data loss or security breach needs to be established, where any exceptions or violations are reported to an IT general controls audit committee,” he said. 

3. Users may not care too much about their employers

Unintentional breaches arising from neglect often comes down to a simple fact: users don’t really care about their employer’s assets as they would for their own. 

“Recently I made a startling discovery. Year after year, training after training, my users wouldn’t apply cybersecurity best practices for protecting their employers. Then it occurred to me – they don’t care about their employer. No matter how important you say it is, unless non-compliance costs them their job, it’s not going to matter,” said Nick E Claypool, director of information technology, Early Childhood Alliance at SpiceWorld. 

This doesn’t mean that employees are selfish people with myopic perspectives. Human beings, as a whole, tend to downplay threats (Claypool said), and this is simply easier when the assets in question, are your own. 

“So, how do we make the threat of cybersecurity attacks personal so users are willing to get behind it? The answer is, make them worry about something they will care about. This does not mean fear or paranoia, but just concerned enough to act upon it,” he mentioned. 

It is a good idea to get users on the same page about the consequences of non-compliance, its cost to the company, and its potential impact on their own lives. 

Learn More: How to Stop Spear Phishing Attacks No Matter Where You Work 

The Surprising

Interestingly, users often diminish the training’s effectiveness unwittingly, due to deep-rooted psychological reasons. Call it a “mental block,” if you will.

4. Users’ psychological makeup shapes their ability (or inability) to respond

Users could react to a security risk or incident in an unconstructive manner due to their psychological makeup and personality traits. In his personal blog, Timothy King, IT technician, educational technologist, and member of the Upper Grand District School Board, shared an experience that illustrates this problem. 

King was conducting a cybersecurity training session using simulated attacks. On booting up, the user would see a compromised Windows 10 image, complete with flashing lights and a ransomware alert. Learners knew it was a simulation, yet their knee-jerk reaction was fear, panic, and frustration. “The responses ranged from randomly mashing buttons to giving up, sitting back, and loudly commenting on how stupid everything was,” King mentions. 

Even more interesting was how specific traits like gendered reactions shaped users’ resilience to the attack. King was able to observe this across the training sessions’ morning and afternoon cohorts, which were male and gender-balanced respectively. “The problem became all the wounded male pride in the room. The students who struggled and gave up were also the ones who adamantly refused to get up and collaborate with the other people in our mono-gendered morning cohort,” he said. 

The afternoon session looked very different: “The more gender-balanced afternoon cohort was constantly communicating and hive-minded their way through the infected image so effectively that most of them actually finished it with a perfect score.”

Being aware of these propensities is often half the battle. By making user’s conscious of their psychological makeup and its correlations with security response, CISOs can encourage more mindful and deliberate – instead of knee-jerk – reactions. 

Trying @fieldeffectsoftOpens a new window ‘s Cyber Range #CyberSecurityOpens a new window training software highlighted a number of weaknesses. many of them rooted in psychology & gender assumptions found in lots of #ontedOpens a new window classrooms:#edtechOpens a new window without responsible use continues to be a problem

— Timothy King 🖥️🏍️🛠️🎨 📷 (@tk1ng) November 29, 2020Opens a new window

Learn More: 5 Shocking IT Security Blunders of 2020 (So Far) 

On the Positive Side

Fortunately, incidents like these hint also at their possible resolution: empathize with users to drive home the point (much like a marketer who leverages empathy for customer action).

5. Making it personal and making it easy usually works

Empathy between the security team (or IT teams in smaller organizations) and end-users can make training sessions more engaging, improving the chances that it will “stick.” There are two parts to achieving this: making it personal (which is what Claypool suggested), and equipping user’s with the necessary tools to take the right action without jumping through hoops. 

“When you make it personal – for example, all their online photos or family’s and friends’ – then it makes it real. There is emotion and personal value that they want to protect. By demonstrating in a non-technical way that users can easily protect their own assets (be it online photos repositories, retail websites, or banking details) you make it a habit. Users will repeat this habit in the workplace / remote office/home office and on the move when accessing company data,” explained Barry McMahon, portfolio marketing manager – identity & access management, LogMeIn.  

Next, you need to provide the tools for enforcing this habit, making it accessible to the widest possible user base at every level of the digital literacy spectrum. 

“Security leaders need to ensure that the security tools they deploy can be adopted by the many, not the few, and so the UX of security tools is more important than ever. You need the workforce to be doing the right thing even when security is not watching,” he emphasized. 

Ultimately, your game plan for getting users to care about cybersecurity will have a strategic side and a technology one. For the former, personalization is your top priority, while UX is a must-have parameter in the latter. 

Planning for What’s Next

Cybersecurity professionals have always had to walk a fine line between crippling fear and indifferent over-confidence. 

Overemphasizing FUD (fear, uncertainty, and doubt) will make employees too scared to use the internet or cloud-based services fully, impacting their work productivity and speed. On the other hand, users cannot be too over-confident – believing themselves to be immune or transferring responsibility onto someone else. The secret is to stop treating cybersecurity as an IT problem – and make it an issue for the enterprise (and the user community) as a whole.

  • Share real facts on breaches, including the extent of damage and if it was preventable?
  • Encourage humility, telling users it is okay to be wrong as long as you ask for help
  • Don’t criminalize genuine mistakes and make it easy to stay compliant

The above three tips can go a long way in getting users to care about cybersecurity, a threat that seems distant until it gets too close for comfort. 

Along with your usual cyber hygiene techniques like avoiding unknown websites, downloading from untrusted sources, or using VPN, you need to address the crux of the problem and get people to start caring about cybersecurity from a meaningful, actionable, and finally advocacy point of view.

Have you faced resistance when talking about cybersecurity or information security with non-technical users? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA