Why Security Awareness Programs FailBy Steve Durbin
Why Security Awareness Programs Fail
By Steve Durbin
Over the past few decades, organizations have spent millions, if not billions, of dollars on information security awareness activities. The rationale behind this approach was to take their biggest asset—people—and change their behavior, thus reducing risk by providing them with knowledge of their responsibilities.
Organizations continue to heavily invest in "developing human capital." No CEO’s presentation or annual report would be complete without stating its value. The implicit idea behind this is that awareness and training always delivers some kind of value with no need to prove it—employee satisfaction was considered enough. Unfortunately, this is no longer the case.
Leaders, now more than ever, demand return on investment forecasts for the projects that they have to choose between, and awareness and training are no exception. Evaluating and demonstrating their value is becoming a business imperative.
A Reliance on Awareness Initiatives
Traditionally, organizations have run security awareness initiatives, either standalone or alongside other work. Their expectations were that imparting knowledge would motivate people to take information security seriously and act accordingly, thereby preventing incidents due to human error; detecting such incidents earlier; providing a greater resistance to threats; delaying the impact of an incident to give the organization time to respond; and deducing the overall impact of incidents.
However, this reliance on awareness initiatives—and the vast sums that have been spent on them—seems to have been misplaced. Let’s take a look at a few of the fundamental reasons why security awareness activities are failing.
Awareness programs are often deﬁned around assumptions about what people know, and how they think and feel about information security. There is a tendency to assume people are all the same and respond to the same stimuli. Unfortunately, they don’t.
People are unique, each having preferred learning styles, meaning that they absorb information and learn in many diﬀerent ways. Many awareness initiatives are based on incorrect assumptions, particularly the following reasons:
People Are Predictable And Will Do What They Are Told
In the majority of organizations, people have a choice whether or not to follow information security guidance—with their choices manifested in their observable behaviors. People are inﬂuenced by a number of diﬀerent factors such as genetics, individual thoughts and feelings, the physical environment, social interactions with other individuals, and social identity. Behavioral science indicates that, given these variables, it is extremely diﬃcult to predict or control people’s behavior.
There Is No Need To Be Persuasive
Awareness messages that fail to engage fully with people may result in them perceiving the cost of information security to be greater than the beneﬁt, meaning that there is a great deal of convincing still to do. As people are required to apply their own judgment to make the right choices, organizations must persuade them that it is worth their while to "stop and think" before clicking on a link in a suspicious e-mail. This failure to appreciate that people need to understand "What’s in it for me?" typically leads to badly aimed messaging.
The information security function—and senior business management—has unrealistic expectations about what can be achieved with typical awareness activities. At best, awareness creates only knowledge, and even that knowledge can be temporary. Whether people’s behaviors will change in accordance with their knowledge is uncertain.
Furthermore, awareness is not training; it is primarily a set of communications about the need to focus attention on information security. Training is more formal, having a goal of building knowledge and skills to facilitate improved security performance. To become habitual, behaviors have to be instilled and repeated. In short, it is unreasonable to expect traditional awareness techniques to create lasting behavioral change for many individuals.
Another unrealistic expectation is that results can be achieved quickly. Behaviors do not change and become embedded overnight. In fact, it can take years to reach everyone, and constant reinforcement will be necessary as people join the organization or change roles, and as risks evolve.
Awareness Is Background Noise
The battle for people’s attention is ﬁerce. Individuals in today’s complex organizations are expected to have knowledge of policies and procedures for a wide range of topics. Yet they still have their jobs to do, and are typically under mounting pressure to do even more. In such an environment, information security can be just another task that lands on their already crowded desk.
Why Security Awareness Programs Fail
So what is special about information security and where does it ﬁt with people’s competing priorities? What will change the attitudes of "it won’t happen to me," "It’s not my problem" and "The technology will protect me" that remain front of mind for so many people? It’s far from certain that awareness activities will answer these questions, as they demand time from people for seemingly little return.
Beyond a certain threshold, it’s likely that increasing workplace demands will be ignored or met with attempts to circumvent them. Therefore, it is entirely rational for people to reject security advice from both an economic and workload perspective. The importance of getting things right and not using people’s time wastefully simply cannot be overstated.
In addition, many organizations treat information security awareness as a checkbox exercise undertaken primarily for compliance reasons. This typically receives a uniform response of "Thank goodness that’s over for another year." Even if the initiative is more than just a checkbox exercise, it has quite likely failed in its objective as people have not engaged with how and why the message is relevant to them. This often results in people feeling that information security is simply an obstacle that "stops the job getting done."
The Commercial Driver Should be Risk
Organizations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors that aﬀect risk positively. The risks are real because people are imperfect. Many organizations recognize people as their biggest asset, yet they still fail to recognize the need to secure the human element of information security.
Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in "stop and think" behavior becoming a habit and part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of security awareness, the real commercial driver should be risk, and how new behaviors can reduce that risk.
The time is right and the opportunity to shift away from awareness to tangible behaviors has never been greater. The C-suite has become more cyber-savvy, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management. Moving to behavior change will provide the CIO with the ammunition needed to provide positive answers to security awareness and training questions that are likely to be posed by the CEO and other members of the senior management team.
About the Author
Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
To read his previous CIO Insight article, "Security Strategies Must Be Integrated," click here.