By Dr Lee Hadlington, Senior Lecturer in Cyberpsychology,
Nottingham Trent University
In the dark ages of information security awareness, many researchers and IT professionals had a very dim view of the ‘human’ element within the system. The common parlance for many system administrators was a to refer to the Problem in the Chair, Not in the Computer (or PICNIC). Likewise, a raft of researchers used the term ‘the weakest link’ to refer to the end-user in the context of organisational information security.
In order to overcome these issues, many organisations adopted what they believe to be cutting-edge hardware and software, and all breaches in cybersecurity ended. Well, no, they didn’t, and why? Because the end-user is canny, resourceful, determined, and they know best. If they think their way is a better way of doing something, and this means circumventing your five or six-figure cybersecurity suite, they will do it.
Let’s be realistic for a minute: we will never stop all breaches in information security so long as humans form a considerable part of the equation. However, if we adopt a new way of approaching information security awareness, not only from a training but also engagement perspective, we can sow the seeds of change. The following tips will help you do that:
Explore what your employees know
All too often, employers make massive assumptions about what their employees should know or be doing in the context of information security. From research, we have noted that this is a considerable overestimation, and often the knowledge employees have is incomplete, or prone to exaggeration. If the foundation on which employees are making their decision about information security awareness is flawed, then their respective behaviours will be too.
Exploring the knowledge of your employees doesn’t have to be a massive undertaking, and it doesn’t have to be boring and disengaging. Approaching this by using monthly quizzes and focus group sessions can provide some quick feedback, as well as making employees ensure their views or opinion matter.
Engage and encourage
All too often, the potential consequences of not following the rules surrounding information security are couched in ways that already make employees defensive; negative consequences, threats associated with non-compliance, and a general authoritarian tone. Now, this isn’t to say that employees shouldn’t follow the rules, and there should be consequences, but research has consistently shown that framing the consequences of an action negatively or threats of punitive action don’t engage individuals.
An alternative approach is to explain why following the rules is important, and done in a way that employees can understand and relate to; making sure the company is safe, not creating unnecessary work for their fellow colleagues, keeping customer data safe are all ways of positively framing their information security behaviours.
Make training relevant
A usual conversation I have with employees around information security awareness is about their training and education. The stock response to the question ‘Do you get any training?’ is usually ‘Yeah, it’s an online course, I didn’t really pay much attention to it, and you get loads of attempts to pass if you get stuff wrong!’
Many companies attempt to tick the information security awareness box with off-the-shelf, one-size-fits-all training packages. They are generally (and I know, I have watched most of them) boring, dull, unengaging and filled with irrelevant information about rules, policies and acronyms. Most employees will game-play these sessions, retain information just to pass, and actually remember very little about what they have learned.
Creating a training programme that is both engaging, informative and achieves its key aims doesn’t mean you have to employ celebrities or do snazzy, over-the-top events. Focus group sessions are an effective mechanism of approaching this, and this can be done in a cascade process where employees train other employees.
Similarly, engaging guest speakers has also been shown to be an effective way of getting employees to think about their actions, and can inform debate and discussion across all groups. Regular feedback about how their behaviours is helping the organisation (e.g. we stopped X number of attacks this month) is also important – it helps the employee know they are doing something.
There is no magic bullet, and nothing is ever easy when it comes to engaging employees in information security awareness, but it doesn’t have to be a hard slog. If you know your employees, and develop a co-operative relationship with them, part of the battle is won. Creative training doesn’t have to be costly, and targeting an approach that taps into common issues within an organisation can save time, money and reduce the ‘I already do this’ rhetoric from employees.