Traditionally, cybersecurity awareness training programs have taken a tough love approach. Protecting people from clicking the wrong thing in an email–and thereby opening a Thanos-sized portal to a data breach apocalypse–meant punishing them into compliance. Phishing awareness training models have thus been designed to humiliate employees with booby prizes like rubber chickens, punish them with extra training, sentence them to phishing prison, or even terminate them for failing a phishing attack simulation. The guiding success metric for such programs have been pass/fail rates of phishing simulations, which are often delivered infrequently and with dry, stale content in a cookie-cutter format.
But phishing attack breaches continue to rise. That’s chiefly because everything about the traditional punitive approach is misguided. It makes neither individuals nor organizations safer, while alienating infosec teams and torpedoing cybersecurity culture.
As Ryan Wright and Jason Bennett Thatcher wrote in their Apr. 1 Harvard Business Review article, “Phishing Tests Are Necessary. But They Don’t Need to be Evil,” employees view punitive training as unfair, unethical, and unjust. Companies’ focus on awareness training, they concluded, should instead be on empowering employees rather than disenfranchising them. Otherwise, they said, cybersecurity becomes seen as “agents of harm, which, in turn, evoke feelings of betrayal by the organization.”
Most importantly? One-size-fits-all punitive training results in low employee engagement and poorer outcomes. Facing down a constantly-expanding threat landscape, information security leaders know that achieving engagement is key for ongoing awareness and behavior change. More and more CISOs are thus rethinking the negative approach to cybersecurity awareness training and opting for carrots over sticks. And the results have been transformative.
“We’ve taken that classic traditional methodology of doing security training–where it can be very punitive, and we’re punishing the users for messing up or breaking the rules–and I would say we’ve seen the light,” said Garrett Cook who, along with Michael Barone, built positive experience into the cybersecurity culture at G2, the world’s leading software review site. “We’ve seen what’s possible if you make the experience for the user engaging and interesting, and make them a participant and not just a recipient. That really helps with engagement, and it drives trust in the security team, which I think is very important.”
A Jan. 2021 Forrester report, “How To Manage The Human Risk in Cybersecurity,” stressed a hearts-and-minds approach to cybersecurity. In addition to creating a positive experience around cybersecurity training, the Forreser report emphasized behavior change over awareness. Too often, the authors said, security programs dwell on passing awareness tests at the cost of achieving real risk-reducing awareness and behaviors.
“Traditional approaches to security communication are limited to perfunctory one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely effect long-term behavioral change,” states the report.
Traditional training is not just a culture killer but, as indicated by Verizon’s 2021 Data Breach Investigation Report, it also obscures an organization’s true risk of a breach.
“Additionally, real phishing may be even more compelling than simulations. In a sample of 1,148 people who received real and simulated phishes, none of them clicked the simulated phish, but 2.5% clicked the real phishing email.” —DBIR 2021
The DBIR continued:
“Verizon Media believes the simulations and training offered by most security education teams do not mimic real life situations, do not parallel the behaviors that lead to breaches, and are not measured against real attacks the organization receives. This is why it is important to progress from the traditional security awareness model to that of using behavioral science to change the habits that lead to attack path breaking actions.”
To achieve sustainable behavior change the Forrester researchers, meanwhile, recommended building a “human-centric” security program; one designed to make people enthusiastic about their personal cybersafety and that of their employer. Such a human-centric approach includes:
“Unless people feel positive about the topic of security, the capabilities of your team, and you as a leader, you will struggle to get them to truly buy into the need for security,” stated the Forrester report. It continued, “Choosing transformative initiatives that engage hearts and minds ensures that your stakeholders are not only aware of security but understand why it’s important. Without creating a connection, no amount of training will change their behavior for the long term.”
The evolving threat landscape demands an adaptive and engaging training solution people actually like
Verizon’s 2021 Data Breach Investigation Report found that attacks and breaches were climbing across the board, and 85% of breaches involved a human element (other estimates usually put this figure between 90-95%). Of these breaches, phishing was present in 36%, up from 25% the year before. To be clear, phishing emails are not spam; they represent an organization’s biggest risk of a data breach at its most vulnerable attack point–employees. Where some forms of attack can take many months to bear fruit, the DBIR noted that phishing attacks are the fastest attack vector for hackers to compromise a system, be it from following a link to a credential harvesting site, downloading a malware-infested .pdf, or engaging in a business email compromise (BEC) impersonation scam.
People are often not equipped to respond to attacks in an increasingly hazardous threat landscape. Advanced technologies, along with organized and state-sponsored cybercrime, are accelerating changes in the threat landscape, as MIT Technology Review reported in “An innovation war: Cybersecurity vs. cybercrime.” AI and deepfake technologies, for instance, are making attack emails increasingly indistinguishable from legitimate communications. Meanwhile, business is booming for cybercrime-as-a-service; easily downloadable phishing kits are democratizing email attacks by matching technical sophistication with the criminal intent of anyone, anywhere.
Moreover, the DBIR reported a doubling of breach incidents in 2021 via ransomware, 23% of which come by email and 30% by credential compromise. Ransomware became infamous in the May, 2021 Colonial pipeline attack by the organized cybercrime gang, DarkSide—described by the New York Times in May 2021 as embodying the new ‘ransomware as a service’ illicit business model. The New Yorker, meanwhile, described in May, 2021 the explosion of the global ransomware economy as an outgrowth of organized kidnapping-for-ransom schemes.
This all points to a mushrooming threat landscape fertilized with bitcoin. Awareness training needs to adapt, lest more people get snagged by newer, scarier cyber scams.
Positive cybersecurity culture and the human firewall
No security filter will ever stop every phishing email from slipping through to employee inboxes. Petri Kuivala, CISO of NXP and former CISO of Nokia, told us that the sheer volume of attacks on large corporations meant thousands of email attacks still landed in employee inboxes daily even after 99.99% of attacks had been caught by the technical layer. At that point, it’s up to people to respond correctly.
But it’s up to the information security team to empower people with knowledge and reporting tools. According to the Forrester report, that means rebranding the infosec team’s image as enablers in order to affect widespread culture change.
“The biggest obstacle to security leaders’ efforts today is the image of security itself. The nonsecurity workforce sees the security team as hoodie-wearing basement-dwellers and punishers who enforce policies that make everyone else’s workday more difficult — so it’s no surprise that security policies and initiatives meet resistance. Organizations must rebrand security as a business enabler instead of a business nuisance so that employees are more receptive to security policies and can protect their business, themselves, and their families.
Positive experience, engagement, and habit change
The best way to break bad habits is to replace the bad behavior with good ones. With smokers, it can be about replacing cigarettes with chewing gum and exercise. And in the cybersecurity context, it’s about hitting the report button instead of clicking a dangerous link. But to make threat reporting a habit, users must be nurtured along a positive, individual learning path.
Writing in CEO World, George Finney, Chief Security Officer at Southern Methodist University and author of “Well Aware,” urged business leaders to not only know what and where their crown jewels are, but to recognize that their employees are the crown that holds those jewels.
“I did hundreds of interviews with CEOs, lawyers, accountants, and other executives to find successful leaders who’ve made a difference in cybersecurity so that we can follow their examples,” wrote Finney. “And what I found was that you don’t need to be a cyber expert to make a difference in security. The best organizations when it comes to cybersecurity are the ones that don’t use fear to enforce their culture. The ones that were most successful used positive messages and had empathy for their employees, which helped everyone make a difference.”
Building positive experience into cybersecurity culture
For Garrett Cook and Michael Barone, the cybersecurity architects at G2, it came down to practicing security as their cultural values preached: with positive user experience. The IT veterans had needed to stay nimble and work fast to construct the security systems of G2 throughout its rocket-propelled growth. But in 2020, with the perimeter installed, they began seeing the cultural dimension of security with greater clarity.
Being at G2, where positive experience is in the corporate DNA, they turned their own company’s values and software selection wizardry around on themselves to find a new solution.
“When you work in security, you hear all the time that your users are your weakest link,” said Garrett. “But as an infosec leader, if you can make what you do more engaging, more fun, more interesting, they’re more likely to trust us. They’re more likely to respect the requirements… Users are more willing to reach out, ask questions, report suspicious things. Because, frankly, if they’re afraid of you, or they don’t trust you, they’re not going to say anything. And our eyes are not everywhere. We can’t predict– we can’t protect—everything.”
Michael agreed, adding how engagement has increased dramatically since the adoption of Hoxhunt and related reward-based security initiatives. Organizational buy-in has helped elevate the security team’s position at G2.
“We get a lot more positive feedback. We didn’t necessarily get complaints about the old tool, but nobody cared about the old tool, either. It was just kind of there, doing what it did. Now we get people coming forward and saying, ‘Hey, this is great, we’re engaged, we really enjoy interacting with the tool that you guys are using.’ And it just elevates (and) makes us a little bit more important and it gets more eyes on the importance of information security as whole.”
If training is not engaging, be it because the material is too hard or too easy or too dry or too irrelevant, it’s effectively reproducing the bla-bla-bla, wah-wah-wah experience of the classroom teacher in the Peanuts cartoons. As Kevin DeLange, CISO of IGT gaming technologies told us, people need to be challenged with real world scenarios all the time in order to build awareness. But it must be done in a positive way, which encourages their participation. For him, a positive experience built on gamification has been a game-changer.
“Not everybody learns the same way,” he said. “Some people are visual learners, some people are textual learners. You can’t have a comprehensive solution without factoring in different approaches to this. That’s really what I’ve tried to do is to incorporate all those elements to prepare and arm our employees with the right mindset for awareness.”
“I always, for better or worse, fall back on the carrot and stick analogy. You want to make this as positive an interaction with the employee as you possibly can. But if an employee fails a test, the fact that Hoxhunt offers that immediate feedback and microtrainings, I think that is a relatively painless stick… Within our company, at least with executive management, I have had really high marks and good feedback from them on the gamification aspect of the Hoxhunt training, which I never would have predicted before.”
Out with the old, in with the new
Petri Kuivala was a visionary of the positive, gamified approach to cybersecurity awareness training. Too often, he said, information security leaders feared new approaches because they’d be exposed to blame for failure.
But those who have braved the change have seen highly positive results.
“We haven’t identified any risks of shifting the way we do things to a positive experience approach,” said Garrett Cook. “Frankly, I only see it as pure upside. It really encourages the users to participate, and we’ve seen really strong engagement. Because, frankly, my opinion is there’s no bigger disincentive to participation than if that threat of punishment is always looming over your head. No one’s like… ‘Okay, well, you failed three trainings in the past year and now you’re fired.’ I think that’s just the wrong mindset to have about these sorts of things…
I think the only thing that I wish we would have done differently is that we would have done this sooner.”