Rebooting security awareness: From hygiene to resilience

The expectation - that security behaviours will change if your employees know what they need to do and if they know their firm’s security policies - is flawed. Knowledge is just a part of behaviour change; the real challenge that many organisations face is to work to ensure their people care, are motivated and have the ability and the confidence to act in the right way at the right time.

In this blog we cover: 

• Hygiene factors to consider for effective cyber awareness training
• Case study of a UK Government organisation with 80,000+ staff & how it transformed its security awareness journey
• Learning points for anyone trying to bring about organisational behaviour change
• Merits and demerits of gamification

How to change security behaviours was the predominant theme of the first webinar hosted by Cyber Management Alliance and RESILIA Frontline in January 2020. Building on the discussions and the helpful insights of the first edition, the second webinar titled ‘Rebooting security awareness: From hygiene to resilience’ assessed some practical issues faced in developing and managing security behaviour change. In this insightful session, Amar Singh – Founder & CEO of Cyber Management Alliance, Nick Wilding - General Manager, Cyber Resilience, AXELOS Global Best Practice and Head of RESILIA Frontline and Stuart Coulson – Director, Hidden Text, discussed the most effective ways to build a cyber-vigilant and resilient workforce.

Cybersecurity Awareness Training Factors

The three security professionals started the discussion by summing up the key takeaways from the first webinar and reiterating some hygiene factors that have to be taken into account to build a cybersmart culture within an organisation.

1. Security and IT teams must work hard to better understand the daily frustrations of employees in meeting company security policies. We need to identify and balance the typical disconnect between security policies and employees’ day-to-day operation priorities and functions.
2. The quality and relevance of training content is key. If we aren’t taking the time to make security communications compelling, engaging and targeted, we are going to fail at the first hurdle in trying to bring about any desired behaviour change. 
3. Ideally, security training needs to be embedded into day-to-day activities. Frictionless training can be seamlessly incorporated into our everyday activities to make the initiative relevant and effective.
4. Don’t flood employees with a whole range of new cyber-risk training. Behaviour change will happen over time and it must be made relevant and valuable for everyone involved. For example, provide advice to your employees about their own digital skills at home in protecting their own and their family’s information.
5. It is essential to prioritise training in areas of known critical risk. Any organisation will know where its critical human vulnerabilities lie, and training money and resources should be focused in these areas first and foremost. This includes understanding that not all people need training in all areas – target training where it’s needed most.
6. Organisations that have to comply with new and changing regulations and compliance, must evaluate if these regulations impact their employees’ security behaviours, for example GDPR. If the answer is yes, then these must be translated into very simple guidelines that employees actually need to know.
   
7. Behaviour change requires regular reminders, tests and refreshers. Delivering an engaging awareness training communications campaign is of paramount importance. Conducting only annual training exercises is like saying, “I’m going to get fit” and then going to the gym once a year.

It’s clear, therefore, that there is no awareness training silver bullet. Different approaches and different techniques will work in different organisations to support different security cultures, brand values and business priorities. However, there are some fundamental principles that can make training effective and result in recognisable behaviour change.

Cybersecurity awareness Case Study   

Stuart Coulson shared his experience of working on security awareness training with one of the UK’s largest government departments.  The organisation of more than 80,000 employees previously used an Excel-based quiz as a security training tool.

The problem with the organisation’s existing training approach was that it focused on the metrics of who completed the quiz rather than what the desired learning outcome was. There was a clear need to automate things and enhance the content in a way that would yield real results, actually engage the audience and give them the confidence that they could do the right thing in case of an attack. 

One of the foremost things that Stuart helped the organisation understand was that metrics are indispensable in measuring the success of security awareness training. In the absence of metrics that can show what the ROI has been, awareness workshops are of no value to the business. Security awareness is not about fixing an IT problem, it’s about fixing a critical business problem and that has to be the starting point for any investment.

The other obstacles that Stuart overcame while creating a successful training programme for this organisation were:

1. The lack of pathways with the existing communications teams, across the department.
2. Competition for front-page real estate on the Intranet made awareness building hard. 
3. Poor implementation of the Intranet made the situation worse.
4. Internal competition and priorities between team members. 
5. The different style of working that civil servants have as compared to employees of a private organisation. 

Here are some of the learning points that emerged in this case study for anyone trying to bring about ‘people’ change in an organisation:

1. Know that when your project manager isn’t supportive and doesn’t use appropriate project management skills, things won’t happen. The impact can be mitigated using your own personal project management skills to engage people and to get things moving.
2. Be well-aware of the business and learning outcomes that you’re expected to deliver.
3. The person sponsoring your work may not be the same as the manager in-charge of the project and that can make things more difficult than is necessary due to conflicting interests. 
4. Making effective communication pathways across the organisation is critical to successful change management.
5. It is most important to understand the language and the medium in which your audience wants to receive training and information. The approach and processes you put in place will succeed or fail depending on your understanding of the existing organisational culture.
6. The support and sponsorship of your executive team is critical. It’s a great opportunity for them to demonstrate to their staff how important security awareness is to their organisation and also to make the staff aware that they know that they’re as vulnerable as anyone else.

Gamification for raising security awareness 

Stuart and Nick then responded to a question regarding the merits and demerits of gamification in delivering security awareness. Nick noted that gamification can be highly successful but only if it’s based on a solid understanding of the audience, what your preferred learning outcomes are and that the approach fits with an organisation’s current training culture.

RESILIA Frontline, for instance, has a phishing game where the learner is put into the shoes of the attacker with access to multiple phishing templates. The learner can attack different organisations with different levels of security maturity. The critical point is that the learning comes after an attack is made – the learner is advised why the attack succeeded or failed and what not to do in his/her daily work life to make these vulnerabilities possible. Defining learning objectives and outcomes is imperative for the success of gamification.

Nick concluded the webinar by quoting the UK’s National Cyber Security Centre, which said in 2019: “Security that doesn’t work for people, doesn’t work!”

He also highlighted the growing positive change in organisations increasingly rewarding good security behaviours instead of punishing bad behaviours. This in turn helps build a more confident workforce, one that is happier to report any suspicions they might have and to discuss experiences (from home as well as work) with colleagues and managers. It is important to shift every organisation’s culture from one where people are scared to admit mistakes to one where they feel happy to share what they’ve learnt from their experiences. The ultimate takeaway as Amar puts it is: “Stop trying to change culture in a day, stay focussed on behavior change.”

Founded in 2015 and headquartered in London UK, Cyber Management Alliance Ltd. is a recognised independent world leader in Cyber Incident & Crisis Management consultancy and training. The organisation is renowned globally as the creator of the flagship Cyber Incident Planning and Response course certified by the UK Government’s National Cyber Security Centre. 

Cyber Management Alliance has serviced over 300 enterprise clients in multiple verticals including government, banking, finance, IT, consultancies, healthcare, oil & gas and retail across 38 countries. It has carved a niche by assessing, building and improving its clients’ Cyber Incident & Crisis Management capabilities through training, tabletop exercises, health checks and audits. Today, Cyber Management Alliance has a global and diverse network of over 80,000 cyber executives and practitioners worldwide.

About RESILIA Frontline and AXELOS

RESILIA® Frontline is GCHQ certified cyber awareness training. As engaging and innovative training it is designed to provide simple, practical cyber resilience best practice advice to all employees and it’s delivered using innovative new training techniques designed to maximise adoption and sustain behaviour change.

 AXELOS Global Best Practice is a joint venture company, created by the Cabinet Office on behalf of Her Majesty's Government (HMG) in the United Kingdom and Capita plc, a FTSE 100 organisation. Formed in 2013 AXELOS owns, promotes and grows a Global Best Practice portfolio, including ITIL®, RESILIA™, PRINCE2® and the other PPM products, used in organisations in the private, public and voluntary sectors in more than 150 countries worldwide.

 Listen to the full webinar Check out Cyber Management Alliance’s BrightTALK channel here.