- CISO Guides
- 13 min read
Behaviour change in cybersecurity is paramount to building a strong security culture in any organisation. It cannot be seen as a one and done project to be truly effective, as continued and targeted behavioural training and development produces the best results.
When employees are only given infrequent training, once or twice a year, you are dumping a lot of technical information on them regarding cybersecurity threats. This is proven to be ineffective as without frequent practice, employees will not retain how to deal with a potential breach or attack.
Behaviour change, when used in conjunction with training, is a proven way to minimise employee cyber risks whilst also refreshing and fortifying the strength of your organisation’s overall security. It is fine being a compliant organisation, but without true behaviour change, are you truly strengthening your security practices?
Behaviour change refers to the development and transformation of human behaviour. Human behaviour is made of conscious and subconscious, as well as voluntary and involuntary actions. If you can get a hold of behaviour and mould it to your specifications, you can transform your security culture.
So, how do you encourage behaviour change? Running and maintaining frequent threat-related tests/activities, such as phishing games, gives users hands-on experience with cyber threats and gives them a practical chance to spot dangers and report them. Often, organisations do not put enough stock in the human aspect of cybersecurity even as we see an increase in social engineering attacks, which are becoming increasingly sophisticated.
When you install an employee-first cybersecurity training program, you not only change people’s behaviours, you also minimise the risk to your company. If you just focus on awareness training, you are not creating new habits. You are dumping information that you hope your employees will engage with and retain. When paired with practical training and efforts to change behaviour you can decrease the risk of human error.
Today, we will be looking at why behaviour change should be at the top of every organisation’s security agenda and how one can apply different tools, programs, and tactics to encourage effective cybersecurity behaviour change.
Behaviour change provides employees with the knowledge, skills, and practice to do the right thing in the case of an attack or breach … effectively. If you have supplied training, employees may know the rules but not action them. By changing their security behaviours, you change the way they will act in that moment to better fit safer practices.
With behavioural change, you can cut out skill-based errors, decision-based errors, and knowledge-based errors all in one go. Employees represent the biggest possible attack surface for your organisation. So, the more employees you have, the bigger your risk potential is. If every single employee is not getting frequent practical training, it only takes one underdeveloped individual to pose a massive vulnerability for your organisation.
Subscribing to employee-focused training, which uses behaviour science and activities to teach people about social engineering attacks is a proven way to reduce risk. It is also a great way to measure the progress of development in an organisation to see if any gaps in security remain. You can then feed this back into developing your security program moving forward – because cybersecurity awareness is ongoing and needs to be frequent.
No matter how engaging and comprehensive your security training may be, people still make errors and fall victim to phishing if their core behaviours have not changed. Social engineering attacks are getting craftier, using fear or the guise of a trusted authority figure to trick employees into a breach.
Without behavioural change and frequent social engineering attack updates and refresher courses/tools, people will move security behaviours into subconscious activity, opening the possibility of a mistake or error. That is why we need to not only teach employees how to spot online dangers but keep these protocols always frequent and accessible. We want employees to make conscious and informed decisions rather than incorrect subconscious ones.
The first move in any behaviour change program is to understand an organisation’s employees; how do they behave? What do they consider important? What learning do they digest? And what motivates them? TSC’s SABR (Security Awareness and Behaviour Research) tool uses a comprehensive questionnaire to assess all the above in an organisation’s security culture and more. SABR can assess the strength of a cohort’s security awareness, if there are any potential gaps and how best to plug those gaps.
There is no one universal way to incite behaviour change in an organisation as each organisation is different, from industry-type to employee structure. However, there are tactics that should be present in all behaviour change programs. We will run through some below:
These five fundamentals need to be considered for every behaviour change program as they not only ensure information is taken seriously (authority and incentivisation), they also put the ownness on the employees (championing, targeting and commitment) – which means they must take security measures seriously.
At TSC we assess each organisation’s security culture individually and, as a result, address deficiencies specifically. However, there are fundamentals when putting together a behaviour change program.
When you build your security culture around improving overall behaviour, you are elevating yourself above simply raising awareness. With behaviour change, you are reducing risk through a continuous and engaging process. This is because by reflecting on actions and employee nature, you can design a better and constantly relevant security program.
Building cybersecurity awareness, especially in relation to new and emerging threats, is the backbone of TSC’s offering. No matter the attack service or platform, TSC’s service will ensure your employees are aware and knowledgeable of the threats they will come across.
If you would like more information about how The Security Company can support you to minimise the risks your organisation is facing, please contact Jenny Mandley.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51