When SecTor opens its doors this October, it will once again be cybersecurity awareness month, as dictated by the Canadian government. Cybersecurity awareness is certainly a serious issue, but are we getting it right? And if not, why not?
Not only is cybersecurity awareness failing as a concept, but the entire concept may be a misnomer. There is a need to move from awareness to tangible behaviours, points out a 2014 report from the University of Oxford’s Global Cyber Security Capability Centre.
Simply lecturing people about the risks of not changing their passwords is not enough. Many people probably know that there are risks, but are still not doing enough to prevent them. We only have to read the latest entries in the DataLoss DB database to know that. So how can we best affect peoples’ behaviour?
One of the first steps is to align cybersecurity training materials to peoples’ own situations, warns Francois van Heerden. The senior cyber security awareness specialist at Canada’s Ministry of Government Services also gave a talk on the topic at SecTor 2014.
“Cybersecurity awareness, in my personal experience, has relied on generic content in the past that wasn’t directly applicable to the user’s work environment. Canned content that is delivered the same way over and over has no impact whatsoever,” he says.
Instead, training material should relate directly to a person’s own environment, not only in the workplace, but at home, van Heerden says. Explaining how, say, a password management tool can be used to protect an employee’s online bank account in addition to their work accounts can be a powerful motivator.
One of the other motivators can be to switch from a threat-based teaching mechanism to one based on positive outcomes, ideally linked to personal values.
The Oxford report suggests giving people an image of their best selves; a sense of who they would like to be (responsible, a team player, a strong link in a valuable chain) and helping them to achieve this image by following cybersecurity rules, rather than simply browbeating them with the dangers of slipping up. When values align with actions, people are more inspired to follow guidelines and be productive, the report suggested.
So, understanding the values that drive people – the things that make them feel empowered and valuable – is an important part of the cybersecurity awareness process. Linking the delivery of cybersecurity guidelines to those values is a key piece of the puzzle. What techniques might help cybersecurity pros to do this?
One tool that can help create a positive impact here is gamification. Using rewards can motivate people to adopt secure behaviours, and perhaps to seek out further training. “Adults tend to be visual learners and using games will enhance learning,” van Heerden says.
However, it’s important not to be punitive here by comparing individual performance. “Rather than focus on individuals, it would be more useful to do it by branch or division when keeping leaderboards,” he adds.
So, what are the takeaways for a successful campaign? The Oxford report has some key guidelines:
- Scaring people into being more secure won’t work.
- Win their hearts and minds. By all means make people aware, but once you have their attention, follow it up. Make sure that people are willing to change, and have the motivation for doing so, by making the awareness information relevant to them at home and work.
- Give people tasks that empower them. Advice should be targeted, actionable, and doable.
- Keep revisiting. Provide regular training and feedback as they transition into a more secure culture.
- Keep the rules of behaviour consistent, and easy to follow (that includes not trying to get them to remember 15 passwords without writing them down).