Recently the experts at Information Security Forum (ISF) offered new guidance on how to move beyond half-hearted security awareness training toward more comprehensive strategies. This guidance couldn’t be timelier.  As organizations struggle with the security implications that come with a newly remote workforce, they must also contend with the unenthusiastic attitudes toward security that have always been present.  What works, they tell us, is a more holistic training that includes the use of “security by design” concepts.

Bad attitude + stress = disaster

Some 65% of ISF’s membership say their employees’ receptiveness to existing security training is “very low to medium”.  In the report, “Human-Centred Security: Positively Influencing Security Behavior” the most cited reasons were:

• A lack of applicability to job roles
• Mixed messaging
• Poorly developed content

Add to that the shift to remote working during COVID-19, and employees are now more distracted and stressed than ever. If that weren’t enough, they now have less access to IT personnel. This is all a recipe for a security disaster. The solution?  A security by design approach to not only IT systems, but to staff training as well.

What exactly is security by design?

The emphasis of a security by design approach is proactive: Focus on preventing a cybersecurity breach from happening altogether, rather than focusing on how to fix things after a breach. The typical way the concept is applied within IT is by the automation of security controls. Companies address cybersecurity at the beginning of a project, so their software is designed to be secure from the outset. This reduces the likelihood that human errors might compromise a company’s information security. The approach also requires a complete “security lifecycle” perspective.  This means the organization continually monitors and maintains cybersecurity risk governance and management.

The human factor

OK, so your organization’s IT infrastructure has already been appropriately set up to help counter some of our human mistakes.   While that’s a great start, it’s only part of the solution.  In their report, ISF recommends a complete overhaul of security training programs.  They also suggest a change to the role training plays in prompting employees to make consistently secure choices both in the digital and physical world. What we are talking about now is secure by design behavior.

The report sets out guidance for senior leaders on managing this risk using psychological theory.  They help us understand the key drivers of human behavior and how to influence people in a positive way through education, awareness and training.  According to Daniel Norman, a senior solutions analyst at ISF, “A human-centered security program helps organizations to understand their people and carefully craft initiatives that are targeted at behavior change, reducing the number of security incidents related to human error and negligence.”

Use psychology to your advantage

I found a great article that provides insight into the role of psychology in cybersecurity training. The authors comment on the dual threats of a lack of understanding of the wide variety of threats at hand, and the desensitization – resulting in almost a paralysis of preparedness — that develops from the frequency with which data breaches appear in the news these days. But by getting a solid grasp on where each individual in your staff fits within this spectrum of mindsets, you can work toward training that gives everyone an opportunity to understand why it’s important they fulfill their security responsibilities.

Once you’ve made this assessment, the next step is to break down the threats, targets, and necessary preventative actions into digestible pieces. By doing this, staff will better understand the cybersecurity risks inherent to their specific jobs. It also reveals what role they can play in maintaining security for the organization and themselves. Then, give people the tools to identify likely threat scenarios and ways to respond.

There are some good tips in the article to help you develop a strategy for security training that works specifically for your staff.  I encourage you to give it a read!