In recent years, there has been a lot of discussion among practitioners, analysts and vendors about the security awareness industry – and what constitutes a good programme, how it is measured, and why.
Based on hundreds of conversations with customers of various sizes and complexity, it is clear that traditional compliance-based security awareness training methods are falling short. So, too, are our methods for measuring their effectiveness.
If the goal is to reduce the cybersecurity risk that’s related to employee actions and behaviours, then we need to move beyond raising awareness to driving sustained behaviour change and fostering a security-minded culture.
Challenges with traditional security awareness programmes
Traditional programmes to increase security awareness have long been a staple of companies’ cybersecurity efforts. Why have they not been effective?
One-size-fits-all approach
Many traditional programmes use the same generic, compliance-driven training content year after year. This approach fails to address the unique, real-world situations that employees in different roles within a business are likely to encounter.
A one-size-fits-all methodology can lead to disengagement and a lack of relevance for employees. However, offering a tailored approach can be daunting for security teams, especially if they are under-resourced.
Lack of connection to the real world
Traditional programmes may impart knowledge, but they often struggle to translate that knowledge into sustained behavioural change. Research for the 2024 State of the Phish report from Proofpoint found that more than two-thirds of employees (68%) knowingly engage in risky behaviour despite 99% of companies having a security awareness programme.
Most awareness programmes are like teaching someone how to skydive by asking them to watch a few videos and read a policy. But when that person jumps out of the plane, they become disoriented. They are not accustomed to the wind and the thin air, and they feel unsure about when to activate the parachute.
Similarly, employees who only receive passive training about security struggle to apply their knowledge when faced with real-world threats. Employees may understand security concepts, but they struggle to apply them consistently in their daily work.
Why changing the terminology won’t work
A new term is coming up in our discussions with customers – human risk management.
Many customers tell us that they want to move to this approach. They say that they want to measure risk, but they are unsure of what to measure and how to go about doing it. The complexity of pulling in data from across different vendors and sources and having it all make sense and be actionable is a challenge. They also mention they want to use automation, gamification, and other elements to help them get better employee engagement.
These are great tools. And, without question, we should understand risk and find ways to engage with employees more effectively. But they are just tools, and they fall short of understanding how to change behaviour. That requires diving into behavioural science principles and techniques, which most cybersecurity teams are typically not trained to do.
Some customers, analysts, and vendors call the practice of security awareness “human risk management” without understanding what that term means. It is a confusing term, and a negative one. It suggests that humans are “risky” and need to be “managed”. It perpetuates the idea that the employee is the problem, and it fosters an “us vs. them” mentality instead of an inclusive one.
At Proofpoint, we believe that there is merit in understanding employees – what they do, what they know and what they believe. That understanding must also be quantified to build a programme that promotes sustained behaviour change.
Awareness is foundational
We see it as a positive sign that customers are asking us about human risk management. Even if the term itself is negative, it gives us the opportunity to talk with customers more broadly about security behaviour and culture programmes, and the role of awareness within them.
Awareness serves as the critical foundation. It provides employees with the essential knowledge and understanding of potential threats, best practices, and the importance of keeping cybersecurity top of mind as they perform their daily work.
We don’t want to throw away the fundamentals of awareness. Rather, we must evolve them by incorporating content that is tailored to the specific roles and responsibilities of individuals within the business. This method recognises that different positions face unique cybersecurity challenges. Role, threat and privilege-specific knowledge is required to effectively adopt safer behaviours and combat threats.
We recommend complementing your existing programme with relevant threat education delivered in smaller bites and in various formats like:
- Interactive simulations
- Gamified experiences
- Ongoing reinforcement campaigns
We encourage our customers to look at how they can provide more real-time guidance to help encourage employees to make safer choices. We recommend involvement and participation from a cross-functional group of employees. You may be pleasantly surprised to find that including them as part of the solution will bring forward a wealth of creativity and engagement.
Culture reigns supreme
The concept of “culture eats strategy for breakfast” is highly relevant to security behaviour and culture programmes. It emphasises the critical role that a company’s culture plays in the success of security initiatives. Culture forms the bedrock on which security behaviours are built. Even the most well-designed security strategy will falter if it is not supported by a culture that values and prioritises security.
A security strategy outlines the plan and goals for protecting a company’s assets. But culture is what determines how effectively those strategies are implemented. No matter what vendor or technology you choose, if your business does not fully embrace a security-minded culture, then your ability to achieve sustained behaviour change in your employees is slim.
A security-minded culture starts and is sustained from the top. Keep in mind that the top extends beyond the CISO. The best programmes are also tied to the overarching key performance indicators of the business, not just the security team. They are developed with a cross-functional team that promotes accountability rather than fear. These programmes also:
- Promote increased voluntary participation
- Factor in the employee as the solution, not the problem
- Use cybersecurity metrics that relate to operational and strategic goals
Additionally, the best programmes directly correlate how employee activity that helps to reduce cybersecurity incidents also:
- Improves the company’s overall risk posture
- Increases workforce productivity
- Impacts the achievement of income and cost forecasts and strategic goals
This may seem daunting to achieve, but there is a way that you can get started now. Gartner’s PIPE Framework can help you move beyond security awareness toward sustained behaviour change. It can also help you to advance a security-minded culture.
Conclusion
You need to have strong executive support, aligned goals, creativity, and the right tools to make progress toward sustained behaviour change. Just as there are no shortcuts to becoming an expert skydiver, achieving goals requires practice, guidance, and effective techniques.
At Proofpoint, we continually evolve our solutions to meet the needs of current and future customers. We welcome your feedback on our work. If you would like to learn more or continue the discussion, join us at an upcoming Proofpoint Protect conference in London, Austin or Chicago.