Most security awareness training attempts to raise awareness only. To decrease risk, Security awareness training must raise awareness, change behaviour and build a culture of security.
It’s an unfortunate fact, evident to both those who work in security and those who don’t, that security awareness training in its current form isn’t working.
Security awareness training is now a regulatory requirement in many industries. Even in industries in which it isn’t, organisations large and small voluntarily invest in security awareness training in an effort to prevent data breaches. And yet data breaches are still commonplace – with human error often being either a cause or catalyst in the majority of breaches.
It’s clear, and it has been for a long time, that traditional tick-box security awareness training efforts aren’t working. And they’re not working because they make little or no effort to change people’s behaviour.
What is the ‘ABC’ of information security?
To reduce human cyber risk, security awareness training must go beyond raising awareness and should also focus on changing behaviour and building a culture of security simultaneously – together known as ‘ABC’.
Most security awareness campaigns focus only on awareness, the A. That’s all well and good. But if raising awareness fails to change people’s behaviour in practice (which is frequently the case), raising it becomes pointless.
It’s for precisely that reason that more and more security insiders now believe it’s only by addressing security awareness, behaviour and culture in tandem that human cyber risk can be reduced. And yet, despite the rhetoric, most security awareness training shows little sign of doing so.
How to improve information security ABC
With most security awareness training behind the times, how can you truly tackle the human aspect of cyber security?
There is no simple answer – but at CybSafe, our cloud-based solution begins with advanced data analytics.
The power of advanced data analytics, AI and applied machine learning is undeniable – and it’s a power that the CybSafe platform leverages to advance users’ security awareness, behaviour and culture in one. CybSafe learns individual knowledge levels, behaviour patterns and cultural metrics. It then applies this understanding to protect users online – all the while measuring progress to highlight vulnerabilities, replicate successes and demonstrably reduce human cyber risk. It’s intelligent software that improves information security ABC.
Improving ABC with behavioural sciences
Of course, it’s not just about analytics and machine learning. To reduce human cyber risk, you somehow need to nudge the right behaviours in the right direction in the first place. Simply applying machine learning to tick-box security awareness training wouldn’t do much good: unfortunately, there simply isn’t enough meaningful data to learn and act on.
CybSafe course content is therefore developed in partnership with psychologists and behavioural scientists who have an expert understanding of what it takes to change human behaviour. For the most part, behavioural change techniques are entirely absent from tick-box security awareness campaigns.
By folding insights from behavioural sciences into security awareness campaigns, and then by using data analytics to repeat successes, security awareness training can begin to improve information security ABC.
Focusing on ABC to demonstrably reduce cyber risk
The moniker “security awareness training” has become misleading. It suggests that to increase human cyber defences, all we need to focus on is increasing security awareness – which is probably why tick-box training is still the accepted norm. Today, to those in the know, the definition of security awareness training has evolved.
To reduce your human cyber risk, it’s important that your security awareness training focuses on advancing security awareness, behaviour and culture simultaneously. Doing so creates a virtuous circle in which improvements in one area flow into the next. Raising awareness lays the foundation for changes in behaviour. Secure behaviours nurture a culture of security. And, completing the circle, a culture of security advances awareness.
Improving ABC has been a vision of Chief Information Security Officers for some time now. The vision is now a reality.