Our problem is simple: despite the layers of security tools in place, threats still get to our people. According to the latest FBI Internet Crime Report, threat volume and scale are rising too.
Here’s a quote said to me by an organization describing some of the biggest security-related problems they faced:
If we didn’t have any users, we’d be okay.
I suspect this might be a common sentiment shared by other veterans of the industry. But it’s important to take a step back from the individual and try to understand why these threats exist in the first place.
People are driven by interests, goals and emotions. People rely on fast thinking for repetitive tasks. People have options to decide how to get from point A to point B, and sometimes they pick the wrong one. Ultimately, people make mistakes.
In the past, security teams have primarily focused on assigning periodic content to “train up” employees and prevent these mistakes. Users are tested and made aware of threats that can happen in their inbox. Security is not embedded into the workday, and the industry still leans towards a correction-based approach instead of a positive, educational one. With a shift in approach, continuous awareness can be used to create security experts across the workforce.
Giving feedback for the wins
Giving timely feedback for only poor decisions or test failures does not create a secure workforce. Implementing feedback for the wins and losses of everyday decisions does.
Phishing awareness email campaigns are the most popular form of what I consider “active” security awareness. It forces users to make secure decisions alongside business decisions. And for most non-cyber employees I’ve talked with, they are aware that this is a strategy within their company.
The problem is that people are only getting feedback for these specific tests. Corrective feedback mostly consists of messages like: “Oops, we got you! Here’s a video”. Testing and campaigns aren’t consistent, which means employees will not be consistent in keeping secure practices at the top of mind within their inbox.
Phishing tests do help. They teach users to look for signs of a phishing attempt, but it’s only a test–a checkup.
Think of your users like athletes. Repetition is the key in building expertise. Every shot on goal should get immediate feedback–whether it’s a score or a miss. Good security behaviors should be recognized and rewarded as much as bad behaviors should be corrected.
Think about what activities are positive within the organization and how you can help users recognize those throughout the workday. For example, Keep Aware gives teams the ability to add “reinforcements” to show secure, validated and popular activities like certain logins across the company.
With phishing schemes consistently getting more creative, recognizing suspicious behaviors on websites can be difficult without outside help from the security team. MFA, Captcha and the like are no longer clear measures of safety. Users need to be informed on what they can’t see.
Informing employees like security experts
Having a background in security automation, I know enrichment is an important function of the security analyst role. If you’ve ever done an investigation (or several), you’re likely familiar with the following:
- Using your “go-to” set of resources to validate activity and determining the likelihood of a threat.
- After triaging the threat, starting a more in-depth investigation.
Those first thoughts and decisions that come naturally to the security team come less naturally to non-technical employees. To build up this skill set, it’s important to find ways to present feedback in real time.
One way to promote continuous awareness is through indicators of additional judgment and advice across the work environment. Google makes an example of this very clear in Gmail. Every time I try to email someone outside of my company, I see this notification:
This is one example of how a secure habit is easily translated to all employees and adds value to a business decision. Security teams need to apply their expertise across work environments for all employees.
Modeling security training to the employee
For regular training to be effective, it needs to be paired with everyday behaviors and interactions that the targeted employee actually performs. We’ve all experienced the frustration of clicking through a training video that’s not relevant (or made relevant) to our work.
Security teams should use threat modeling for employee awareness just as much as any other function. We can do this by:
- Understanding what the employee does
- Understanding what can possibly go wrong
- Determining the risk (impact x probability) of these situations and prioritizing training
While it’s important that all employees have a fundamental knowledge of threats in the workplace, keep in mind not all employees complete the same tasks. Some share sensitive information and some are overwhelmed in their inbox. For some, their most dangerous activity may be google searching for a free utility download. Training everyone on the same content and at the same time will only get the organization so far.
Security awareness is often too focused on performance metrics and separated from day-to-day security operations and response. By obtaining data and a good understanding of business activities, we can better understand what can go wrong and determine which issues impact which employees.
Encouraging deliberate practice
This last one might be the most challenging, but you cannot have a secure work culture without encouraging deliberate practice. People that become experts want to improve.
One way to encourage practice is by understanding how games work and creating one within your security awareness program. I don’t mean “gamification” like adding preset achievements, badges and points. I mean actually using game design principles:
- easy-to-understand controls
- user goals
- encouraging exploration
- engaging competition
1. Creating an environment that has easy-to-understand controls is important. This is often a single website a user visits for training. But an environment that forms a secure culture embeds security awareness into everyday business decisions (like the Gmail example).
2. Every game has goals–these should not be points, badges and levels. Goals need to be personal. Teams and users should be able to influence, set, and track goals within the security program.
3. Security awareness programs should allow for exploration. This kind of content requires the most creativity. It could be having cybersecurity news posted throughout the company intranet and in a few words explaining why that particular threat is important to the employee or company. Or finding ways to tie optional objectives into relevant business decisions. You might have existing tools with content, puzzles or games. Think about where you could show that information to users. They could spend a minute on training during a slower work time, but it should also be embedded throughout the work environment in websites, slack, email, and individual interactions.
4. Lastly, with a strong security awareness program in place, we can use metrics and performances between teams and groups to encourage competitions over certain months or quarters. This could also be a way to encourage exploration–the most involved teams get rewarded.
For any of your ideas, measure them. You could even A/B test them over time and understand which methods are engaged with (and which ones to throw out).
Where we go from here
Keep Aware was created to tackle the challenge of making security a part of every decision throughout the workday. If you’re interested to learn more about Keep Aware and how we are building these ideas into organizations, check out our website or meet with me for a couple minutes!
Lastly, an extremely supportive friend sent me a video about how people become experts (or how they don’t). I’d highly recommend watching it if you’d like to dive further into some of the points I used for this post. Each of these topics deserves its own “deep dive” post with more examples so if this interests you, stay connected and get updates on LinkedIn.
–Ryan Boerner, Founder @ Keep Aware