In recent years, there has been a lot of discussion among practitioners, analysts and vendors about the security awareness industry—and what constitutes a good program, how it is measured and why.
Based on hundreds of conversations with customers of various sizes and complexity, it is clear that traditional compliance-based security awareness training methods are falling short. So, too, are our methods for measuring their effectiveness.
If the goal is to reduce the cybersecurity risk that’s related to employee actions and behaviors, then we need to move beyond raising awareness to driving sustained behavior change and fostering a security-minded culture.
Challenges with traditional security awareness programs
Traditional programs to increase security awareness have long been a staple of companies’ cybersecurity efforts. Why have they not been effective?
One-size-fits-all approach
Many traditional programs use the same generic, compliance-driven training content year after year. This approach fails to address the unique, real-world situations that employees in different roles within a business are likely to encounter.
A one-size-fits-all methodology can lead to disengagement and a lack of relevance for employees. However, offering a tailored approach can be daunting for security teams, especially if they are under-resourced.
Lack of connection to the real world
Traditional programs may impart knowledge, but they often struggle to translate that knowledge into sustained behavioral change. Research for the 2024 State of the Phish report from Proofpoint found that more than two-thirds of employees (68%) knowingly engage in risky behavior despite 99% of companies having a security awareness program.
Most awareness programs are like teaching someone how to skydive by asking them to watch a few videos and read a policy. But when that person jumps out of the plane, they become disoriented. They are not accustomed to the wind and the thin air, and they feel unsure about when to activate the parachute.
Similarly, employees who only receive passive training about security struggle to apply their knowledge when faced with real-world threats. Employees may understand security concepts, but they struggle to apply them consistently in their daily work.
Why changing the terminology won’t work
A new term is coming up in our discussions with customers—human risk management.
Many customers tell us that they want to move to this approach. They say that they want to measure risk, but they are unsure of what to measure and how to go about doing it. The complexity of pulling in data from across different vendors and sources and having it all make sense and be actionable is a challenge. They also mention they want to use automation, gamification and other elements to help them get better employee engagement.
These are great tools. And, without question, we should understand risk and find ways to engage with employees more effectively. But they are just tools, and they fall short of understanding how to change behavior. That requires diving into behavioral science principles and techniques, which most cybersecurity teams are typically not trained to do.
Some customers, analysts, and vendors call the practice of security awareness “human risk management” without understanding what that term means. It is a confusing term, and a negative one. It suggests that humans are “risky” and need to be “managed.” It perpetuates the idea that the employee is the problem, and it fosters an “us vs. them” mentality instead of an inclusive one.
At Proofpoint, we believe in a human-centric approach to cybersecurity. This involves understanding how technology, social factors and organizations themselves impact people’s understanding and interactions with cybersecurity. NIST refers to this as human-centered cybersecurity or “usable” security. To build a security behavior and culture program that’s effective, we need to deeply understand employees—what they do, what they know and what they believe. What’s more, we need to quantify our understanding. In this way, we can design a program that creates sustained behavior change.
Awareness is foundational
We see it as a positive sign that customers are asking us about human risk management. Even if the term itself is negative, it gives us the opportunity to talk with customers more broadly about security behavior and culture programs, and the role of awareness within them.
Awareness serves as the critical foundation. It provides employees with the essential knowledge and understanding of potential threats, best practices, and the importance of keeping cybersecurity top of mind as they perform their daily work.
We don’t want to throw away the fundamentals of awareness. Rather, we must evolve them by incorporating content that is tailored to the specific roles and responsibilities of individuals within the business. This method recognizes that different positions face unique cybersecurity challenges. Role, threat and privilege-specific knowledge is required to effectively adopt safer behaviors and combat threats.
We recommend complementing your existing program with relevant threat education delivered in smaller bites and in various formats like:
- Interactive simulations
- Gamified experiences
- Ongoing reinforcement campaigns
We encourage our customers to look at how they can provide more real-time guidance to help encourage employees to make safer choices. We recommend involvement and participation from a cross-functional group of employees. You may be pleasantly surprised to find that including them as part of the solution will bring forward a wealth of creativity and engagement.
Culture reigns supreme
The concept of “culture eats strategy for breakfast” is highly relevant to security behavior and culture programs. It emphasizes the critical role that a company’s culture plays in the success of security initiatives. Culture forms the bedrock on which security behaviors are built. Even the most well-designed security strategy will falter if it is not supported by a culture that values and prioritizes security.
A security strategy outlines the plan and goals for protecting a company’s assets. But culture is what determines how effectively those strategies are implemented. No matter what vendor or technology you choose, if your business does not fully embrace a security-minded culture, then your ability to achieve sustained behavior change in your employees is slim.
A security-minded culture starts and is sustained from the top. Keep in mind that the top extends beyond the CISO. The best programs are also tied to the overarching key performance indicators of the business, not just the security team. They are developed with a cross-functional team that promotes accountability rather than fear. These programs also:
- Promote increased voluntary participation
- Factor in the employee as the solution, not the problem
- Use cybersecurity metrics that relate to operational and strategic goals
Additionally, the best programs directly correlate how employee activity that helps to reduce cybersecurity incidents also:
- Improves the company’s overall risk posture
- Increases workforce productivity
- Impacts the achievement of income and cost forecasts and strategic goals
This may seem daunting to achieve, but there is a way that you can get started now. Gartner’s PIPE Framework can help you move beyond security awareness toward sustained behavior change. It can also help you to advance a security-minded culture.
Conclusion
You need to have strong executive support, aligned goals, creativity and the right tools to make progress toward sustained behavior change. Just as there are no shortcuts to becoming an expert skydiver, achieving goals requires practice, guidance and effective techniques.
At Proofpoint, we continually evolve our solutions to meet the needs of current and future customers. We welcome your feedback on our work. If you would like to learn more or continue the discussion, join us at an upcoming Proofpoint Protect conference in London, Austin or Chicago.