Building the Human Firewall: Exploring Behavioral Change in Security Awareness and Culture.
The latest findings from the IBM X-Force® Threat Intelligence Index report highlight the changing tactics of attackers. Attacks in which criminals exploit valid credentials to infiltrate systems instead of using traditional hacking methods surged by 71%. Information thieves have seen a 266% increase in utilization, highlighting their role in obtaining these credentials. Their goal is simple. It’s about obtaining valid credentials by leveraging the path of least resistance, often through unsuspecting employees.
Organizations have invested millions of dollars developing and implementing cutting-edge technologies to strengthen their defenses against these threats, and many are already running security awareness campaigns. Why can’t they stop these attacks?
Challenges of traditional security awareness programs
Most security awareness programs today provide employees with the information they need to deal with common threats like data, GDPR rules, and phishing.
However, this approach has one major weakness. This means that the program does not take human behavior into account. They typically follow a one-size-fits-all approach, with employees completing annual general computer-based training with slick animations and short quizzes.
It provides the information they need, but due to the rushed nature of the training and lack of personal relevance, employees often forget the information within just four to six months. This can be explained by Daniel Kahneman’s theory of human cognition. According to the theory, every individual has a quick, automatic, intuitive thought process called System 1. We also have a slow, deliberate, and analytical thinking process called System 2.
Traditional security awareness programs primarily target System 2 because information must be processed rationally. However, without sufficient motivation, repetition, and personal significance, information usually goes in one ear and out the other.
It is important to understand employee behavior
Almost 95% of human thinking and decision-making is controlled by System 1, our habitual way of thinking. Humans face thousands of tasks and stimuli a day, and much of the processing is done automatically and unconsciously, through biases and heuristics. The average employee works on autopilot, and to ensure that cybersecurity issues and risks are ingrained into everyday decisions, you need to design and build programs that truly understand how employees intuitively work.
To understand human behavior and how to change it, there are several factors that need to be assessed and measured with the support of the COM-B Behavior Change Wheel.
- First, you need to know your employees’ tendencies. ability. This means having the knowledge and skills to engage in safe online practices, such as creating strong passwords and recognizing phishing attempts.
- Then you need to check whether it is enough. opportunity Enables learning, including the availability of resources such as training programs, policies and procedures.
- Lastly, and most importantly, understand the level of your staff. Motivation Willingness and drive to prioritize and adopt security actions.
Understanding and assessing these three areas can help you pinpoint areas where behavioral change is needed and design interventions that target your employees’ intuitive behaviors. Ultimately, this approach helps organizations foster their first line of defense through developing a more cyber-aware workforce.
We need to create a positive cybersecurity culture.
Once the root causes of behavioral issues are identified, attention naturally turns to building a security culture. The challenges prevalent in today’s cybersecurity culture are based on fear of error and malfeasance. This mindset often fosters negative perceptions of cybersecurity, resulting in low training completion rates and minimal accountability. This approach needs to change. But how can this be achieved?
Above all, we need to rethink our approach to initiatives and move away from a compliance-driven model that focuses solely on awareness. Security awareness training remains important and should not be overlooked, but training methods must be diversified to create a more positive culture. They should embrace role-specific programs that integrate experiential learning and gamification, such as engaging cyber coverage facilitated through IBM X-Force, along with extensive organizational training. You can also reinforce the concept of a positive culture through organization-wide campaigns through various events, such as building a network of cybersecurity champions and holding awareness-raising months.
Once these initiatives are selected and implemented to create a positive and strong cybersecurity culture, it is essential to receive support from all levels of the organization, from senior management to entry-level experts. Only when you have a unified, positive message can you truly change the culture within your organization.
If we don’t measure human risk reduction, we won’t know what’s effective.
Now that we have identified behavioral issues and implemented programs aimed at fostering a positive culture, the next step is to establish metrics and parameters for success. Measuring the effectiveness of a program requires addressing fundamental questions. In other words, to what extent have you mitigated the risk of cybersecurity incidents resulting from human error? It is important to establish a comprehensive set of metrics to measure risk reduction and overall program success. Traditionally, organizations have relied on methods such as phishing campaigns and proficiency testing, with mixed results. One modern approach is risk quantification, a method of assigning a financial value to the human risk associated with a specific scenario. Incorporating these metrics into your security culture program will help you assess success and continuously improve over time.
Collaborating with IBM to build a human firewall
The changing cybersecurity landscape requires a comprehensive approach that addresses the critical human element. Organizations must foster a positive cybersecurity culture through leadership engagement and innovative initiatives. This must be combined with effective metrics to measure progress and demonstrate value.
IBM offers a variety of services to help clients shift their programs from cognitive to focused on human behavior. We can help you evaluate and tailor your organization’s interventions based on the motivations and habits of your employees, empowering every individual to become a proactive guardian of your cybersecurity, creating a resilient first line of defense against emerging threats. We can help you nurture it.
Find Cyber Security Solutions
Was this article helpful?
yesno