Organizations need to shift from promoting awareness of potential problems to embedding security habits that create a "stop and think" behavior—and affect risk positively.
By Steve Durbin
Over the past few decades, organizations have spent millions, if not billions, of dollars on information security awareness activities. The rationale behind this approach was to take their biggest asset—people—and change their behavior, thus reducing risk by providing them with knowledge of their responsibilities.
Organizations continue to heavily invest in "developing human capital." No CEO’s presentation or annual report would be complete without stating its value. The implicit idea behind this is that awareness and training always delivers some kind of value with no need to prove it—employee satisfaction was considered enough. Unfortunately, this is no longer the case.
Leaders, now more than ever, demand return on investment forecasts for the projects that they have to choose between, and awareness and training are no exception. Evaluating and demonstrating their value is becoming a business imperative.
A Reliance on Awareness Initiatives
Traditionally, organizations have run security awareness initiatives, either standalone or alongside other work. Their expectations were that imparting knowledge would motivate people to take information security seriously and act accordingly, thereby preventing incidents due to human error; detecting such incidents earlier; providing a greater resistance to threats; delaying the impact of an incident to give the organization time to respond; and deducing the overall impact of incidents.
However, this reliance on awareness initiatives—and the vast sums that have been spent on them—seems to have been misplaced. Let’s take a look at a few of the fundamental reasons why security awareness activities are failing.
Awareness programs are often deﬁned around assumptions about what people know, and how they think and feel about information security. There is a tendency to assume people are all the same and respond to the same stimuli. Unfortunately, they don’t.
People are unique, each having preferred learning styles, meaning that they absorb information and learn in many diﬀerent ways. Many awareness initiatives are based on incorrect assumptions, particularly the following reasons:
People Are Predictable And Will Do What They Are Told
In the majority of organizations, people have a choice whether or not to follow information security guidance—with their choices manifested in their observable behaviors. People are inﬂuenced by a number of diﬀerent factors such as genetics, individual thoughts and feelings, the physical environment, social interactions with other individuals, and social identity. Behavioral science indicates that, given these variables, it is extremely diﬃcult to predict or control people’s behavior.
There Is No Need To Be Persuasive
Awareness messages that fail to engage fully with people may result in them perceiving the cost of information security to be greater than the beneﬁt, meaning that there is a great deal of convincing still to do. As people are required to apply their own judgment to make the right choices, organizations must persuade them that it is worth their while to "stop and think" before clicking on a link in a suspicious e-mail. This failure to appreciate that people need to understand "What’s in it for me?" typically leads to badly aimed messaging.
The information security function—and senior business management—has unrealistic expectations about what can be achieved with typical awareness activities. At best, awareness creates only knowledge, and even that knowledge can be temporary. Whether people’s behaviors will change in accordance with their knowledge is uncertain.
Furthermore, awareness is not training; it is primarily a set of communications about the need to focus attention on information security. Training is more formal, having a goal of building knowledge and skills to facilitate improved security performance. To become habitual, behaviors have to be instilled and repeated. In short, it is unreasonable to expect traditional awareness techniques to create lasting behavioral change for many individuals.
Another unrealistic expectation is that results can be achieved quickly. Behaviors do not change and become embedded overnight. In fact, it can take years to reach everyone, and constant reinforcement will be necessary as people join the organization or change roles, and as risks evolve.
Awareness Is Background Noise
The battle for people’s attention is ﬁerce. Individuals in today’s complex organizations are expected to have knowledge of policies and procedures for a wide range of topics. Yet they still have their jobs to do, and are typically under mounting pressure to do even more. In such an environment, information security can be just another task that lands on their already crowded desk.