At the time of writing, Google tells us security awareness training is “a formal process for educating employees about computer security.”You can bet it’s a prevalent definition: the search engine sifts through every indexed web page ever written on the topic to return the single, succinct and simple sentence.
It’s also a definition that’d be easy enough to guess. The trouble is, according to a growing number of CISOs and information security professionals, the definition is wrong.
The even-worse news?
The definition could be stopping us from preventing cyber attacks.
Security awareness training is about more than awareness
The reason is simple: the old definition of security awareness training is too rudimentary. After a moment’s thought, its flaws are obvious.
The definition talks only of educating people. It says nothing of ensuring people actually do anything with their security knowledge. Instead, it assumes increasing people’s security awareness automatically changes their behaviour. But is that actually the case?
Consider passwords. Today, most people know what makes for a secure password. Yet in 2017, the most commonly used password was “123456”. Second place went to “password”. And “Whatever”, “Hello” and “Letmein”…
They all made the top 25.
So it seems like the translation of security awareness into secure behaviours isn’t as automatic as it once seemed. Which is why the old definition of security awareness training (which, by the way, more than a few training providers still work from) must be updated.
Security behaviour training
The old definition of security awareness training focused only on educating people. A better definition would surely include both educating people and changing people’s behaviour. And that has ramifications for training providers.
Once behavioural change becomes an aim, spoon-feeding people an annual dose of security awareness training becomes unacceptable. As nice as it would be, comprehension exercises are unlikely to do much to change people’s behaviour.
That’s because a change in behaviour requires effort. Learning what makes for secure passwords is easy. But actually updating passwords – that’s more difficult. Ensuring security awareness training focuses on educating people and changing their behaviour ensures the more difficult task – arguably the most important – isn’t overlooked.
The importance of culture
Even when security awareness training refers to both improving awareness and changing behaviours, it’s incomplete. A complete definition requires a nod to developing a strong cyber security culture.
In a secure culture, people behave in a secure manner by definition. In doing so, people don’t just try to avoid attacks, but consciously and actively prevent them.
Good password management prevents dictionary attacks. On-the-ball employees report phishing scams. Unexpected visitors are challenged. Suspect websites are flagged.
Developing such a culture isn’t easy to achieve. But, as today’s CISOs now point out, it’s what we should all be striving for.
The ABC of security
Security awareness training, then, is much more than just educating employees. It’s about changing behaviour and it’s about developing a secure culture, too.
Although today’s security professionals are well-aware of this, updated definitions of what security awareness training actually is are sparse. So here’s an offering:
Security awareness training is a formal process for increasing people’s security awareness, eliciting secure behaviours in practice and developing a culture of security.
Awareness, behaviour and culture. The ABC of security.
Granted, the above definition doesn’t make the lives of security training providers easy. After all, it’s much easier to increase people’s security awareness than it is to change their behaviour or influence organisational culture. That may explain why training that focuses only on knowledge still exists.
Over time, though, the security training landscape will surely change.
Information security is becoming increasingly important as time goes by. And theory alone does very little to prevent attacks.