case study

Building DocuSign's award-winning cybersecurity training program

Client logo
About icon
About

Pioneering the development of e-signature technology, DocuSign (DOCU NASDAQ)helps organizations connect and automate how they prepare, sign, act on, and manage agreements. As part of the DocuSign Agreement Cloud, DocuSign offers eSignature: the world's #1 way to sign electronically on practically any device, from almost anywhere, at any time.

Headquarters: San Francisco, California

Founded: 2003 in Seattle, Washington 

Employees: 7,800


Challenge icon
Challenge
Shifting from a compliance-based to risk-based awareness training strategy, DocuSign wanted to unify their existing piecemeal, and overly manual, phish training system into an automated program psychologically geared for behavior change and built around threat reporting.
solution icon
Solution
Hoxhunt provided an automated phish awareness solution that allowed DocuSign to deliver frequent, ongoing training in a personalized and positive way at scale. The psychological reward-for-success framework of Hoxhunt aligned with DocuSign’s unusual approach to learning and behavior change under the leadership of their Director of Trust & Security Training & Awareness.
Key takeaways:
Featured image

“Hoxhunt gives someone a button and makes it so easy to report a threat that it becomes ingrained as an instinctive behavior. The button is key to behavior change, and that’s what I was looking for: something that would actually get people to participate frequently enough that the lessons would stick and their behavior would change.” -- Lisa Kubicki, Director, Trust & Security Training & Awareness at DocuSign


Results

  • Award-winning awareness program with Hoxhunt as a key feature–CSO50 2021
  • Enhanced security culture
  • Flexibility to adapt from Microsoft to Google Workspace
  • New Google Workspace button add-on, based in large part on Docusign’s requests and feedback
  • Success rate: 56.1 %
  • Fail rate 7.2 %
  • Engagement rate: 53% and-growing


Security awareness outside the box

DocuSign overhauled their security awareness training program beginning with the non-traditional hire of Lisa Kubicki, who now serves as Director, Trust & Security Training & Awareness at DocuSign. Kubicki came to DocuSign with little security or tech experience after 20 years of delivering leadership development and change management at universities such as Stanford and Cornell. 


Uniting her expertise in human behavior/human change management with security awareness, she and the DocuSign Trust & Security team innovated a new phishing training approach to drive a more engaged and secure corporate culture founded upon employee behavior that reduces risk of the human element. The governing philosophy was laid out as thus:

“What we need to advance the Trust Culture, the individual commitment and responsibility that each DocuSign employee feels and puts into maintaining the highest level of security and trust possible, is to have employees engage with trust much more frequently than they currently do. They need to see it, read it, play with it, hear it, and do it daily. This won’t require a huge time commitment by them, but it will require that we have some of their time, short little bites of time on a regular basis. To get them to commit to that time, it must be fun, rewarding, and meaningful. It must connect to what’s important to them and how they are evaluated on their performance. It must overcome elements of how the brain works so that we get a more secure, more trusted, and more committed trust culture. We must both acknowledge and encourage the desired behaviors.”

 

Good brain / bad brain psychology

Her psychology-grounded approach to behavior change training includes what she calls Bad brain / Feed the brain elements.

Bad brain elements (and how to overcome them):

  1. Practice, practice, practice! The Ebbinghaus forgetting curve – 70% of new information is forgotten in 1 day, 90% is forgotten in 30 days. Without reinforcement, repetition and rewards for doing things the right way, our employees will not remember who, or what, or how, or why…they will just keep doing the same old things that are easy and have been working for them.
  2. Short learning experiences. George A Miller’s research on short term-memory – since 1965, we have known that our short-term memory can only hold 5-9 chunks of information at a time and that worsens in today’s hyper tech world as we “think” we are multitasking (but really are task switching which eats up a ton of brain power and means you hold on to even less in the short-term).
  3. Make threat reporting a reflex. Henry Roedinger’s recall research – without having to use the new information that one gains, your brain doesn’t move it to long-term memory and the forgetting curve isn’t counteracted. People need to be forced to recall the right behaviors and actions via quizzes and reinforcement they actively participate in.
  4. Carrots, not sticks. When an employee feels like they have failed, their morale is hurt and their connection to what matters is decreased – this stick, rather than carrot, focuses on behaviors that we don’t want and are not reinforcing what we do need from employees.

The good news, her report continues, is that we also know how to feed the brain the dopamine hits that reward it and make it want to do it again, and again, and again.

Feed the brain elements: 

  1. Instant reward. Skinner’s operant learning theory – tells us that by rewarding employees immediately when they do the right thing, it becomes sticky and the brain is eager to do it again. This builds positive behaviors that become rote from repetition.
  2. Second nature actions or Rinse and repeat. Martin Broadwell’s 4 levels of competence – depicts the learning mind moves from an unconscious incompetence to conscious incompetence through conscious competence and ultimately to the unconscious competence where things are second nature, performed easily, repeated often and do not disrupt other work.
  3. Make it easy and obvious. BJ Fogg’s model for behavior change B=MAP – tells us that behavior will only happen when someone is motivated, they have the ability to perform, and there is a prompt at the same moment to perform the action.
  4. Reinforcement strengthens. Donal Hebb, “Neurons that fire together, wire together.” – behaviors that occur at the same time as rewards are activated in the brain via neural pathways, are far more likely to reoccur as the brain wants that dopamine hit again and again, so positive reinforcement needs to be immediate and consistent.
  5. As little as 15 min/month. Osterman Research – has found that employees who complete just over 15 minutes of security training/month see themselves as part of and contributing to their organization’s security culture.

“I had to make sure we came at people in a carrot-not-a-stick way for security awareness training. We needed to get people incentivized to want to do it. When I came in, security had that Big Brother reputation of being the “No” team. We needed to turn that around so people understood that we are here to help them do their work successfully and securely. Now, as a whole, the security team is seen as great partners and people you can go to with any weird, random questions.” – Lisa Kubicki


Why Hoxhunt?

The first phishing platform they selected got the program started. But it was overly manual and lacked sufficient depth in its templates and functionality for long-term growth of the program. 

Once DocuSign’s security posture matured, Hoxhunt was chosen from a group of 17 options. It checked all the learning-and-behavior-change boxes for DocuSign’s Trust and Security team. An as an automated platform, it would deliver sustainable results with individualized training content sent on an ongoing basis, and in a way that fosters trust and positive reinforcement. The smart algorithm, which adjusts  training content to user needs and skill level, was also a significant plus.

The Chief Trust and Security Officer supported Kubicki’s behavior change model and her selection of Hoxhunt based on its positive reinforcement approach, culture-building potential, increased frequency and, perhaps most importantly, the reporting button functionality. 

“It’s important that Hoxhunt rewards people for successful reports with a follow-up screen that says, ‘Hey you did the right thing. Great job! Here’s a gold star and the next shield, and now you’re further up on the leader board…’ I love the shield rankings. They motivate positive influencers to build a secure culture in the spirit of healthy competition. And for those not as interested in the gamified aspects, Hoxhunt is easy to use and readily available on desktops and mobile devices alike."


Security ABCs

Kubicki oversees what she calls the Trust ABCs: Awareness, Behavior, and Culture, all of which have improved with Hoxhunt. Introducing a new email awareness initiative with Hoxhunt at its center was challenging for the Trust team as it coincided with a major migration of corporate systems. Even so, Hoxhunt has been well-received by leadership and employees alike. The Trust & Security team have been impressed with how the adaptive learning model matches simulation difficulty levels with employees’ progressive skill levels; it gives them real confidence in where their people and the organization stands in terms of strengths & weaknesses and social engineering risk.


Award-winning awareness program

Ultimately, Kubicki has built and run a CSO50 2021 award-winning security training and awareness program, in which Hoxhunt plays a significant role. In spite of—or perhaps because of--not having a technical background herself, Kubicki says that senior leadership and her colleagues alike are comfortable coming to her with security-related questions. Security culture and trust has been elevated, internal communications have been streamlined to support issues and concerns, and the security team’s profile has moved from the Department of NoNoNo! to the Team of Let’s Do It Securely with Excellence.

This is your Brain on Trust: Lisa Kubicki joined the CISO Sandbox