It’s a curious reality that, although employees are swiftly punished for violating information security policy, such an extreme lack of interest in providing those employees with adequate cybersecurity awareness training exists amongst organizations.
In a survey conducted by Enterprise Management Associates (EMA), only 56 percent of employees said that they receive cybersecurity awareness and policy training. While this finding is bewildering enough on its own, let’s delve deeper and ask an even more important question; of this 56 percent, how many organizations employ behavioral conditioning practices to reinforce the information their employees are being taught?
While simple reliance on punitive consequences merely stabilizes negative behavior, positive reinforcement promotes positive change. It ignites a response in the individual that drives compliance through their human desire to please. A human being’s natural instinct is to trust and accommodate, which is exactly what social engineers prey upon in their respective attack methodologies.
Employees are our most valuable, yet most vulnerable, underdeveloped assets when it comes to provision of adequate organizational information security. Those who violate policy by clicking on a malicious email link, entrusting their network password to a complete stranger, allowing a stranger to piggyback off of their building access credentials as they hold the door open in an act of kindness, failing to lock their computer screens when leaving their desks, etc. are often chastised for their violations and, in some cases, terminated.
What leadership fails to understand is that non-compliant employees are products of a system lacking not only in cybersecurity awareness education and policy, but proper behavioral conditioning to temper that knowledge within their subjects. Just as one wouldn’t return a puppy to the pet store because it wet the floor after simply being told not to, employees may be behaviorally-conditioned through more positive, less negative engagement that not only prompts cessation of a negative behavior, but encourages growth of positive behavior above and beyond common expectations.
Within a 2015 research report conducted out of Northumbria University, UK, the following seven factors were identified, each believed to play an active role between employees and organizational information security policy (ISP) compliance:
Self-efficacy: An individual’s beliefs about their competence to cope with a task and exercise influence over the events that affect their lives.
Social influence: The extent to which an individual’s behavior is influenced by what relevant others (e.g. colleagues) expect him/her to do and the extent to which they believe others are
performing the behavior.
Attitude: The individual’s positive or negative feelings toward engaging in a specified behavior.
Perceived susceptibility: An individual’s assessment of the probability of events happening to them.
Perceived severity: An assessment of the seriousness of a security threat and its associated consequences.
Response efficacy: The belief in the benefits of the behavior.
Response costs: Beliefs about how costly performing the recommended security behavior will be. These costs include money, time, and the effort expended.
Rather than relying upon basic cybersecurity awareness education to act as an annual reminder of do’s and do not’s, cybersecurity compliance conditioning that offers a more immersive experience through its appeal to each of the seven aforementioned factors is likely to reap results of far superior quality.
Recent innovations in cybersecurity awareness that have proven quite effective in addressing these seven factors include behavioral conditioning technologies that actually disseminate mock phishing attacks across production environments. The driver behind this approach is to not simply educate users of potential cybersecurity threats and leave it at that, but to actually test organizational awareness education through simulated phishing attacks that collect data on employee responses. Such feedback is extremely valuable to the organization, not only pinpointing areas warranting greater attention, but also drawing awareness to the fact that the organization is indeed watching and expecting a high degree of compliance amongst its employee base.
Taking things one step further, coupling such an approach with a simple reward system provides positive reinforcement of proper response measures throughout the organization. This may be exercised amongst not only individual employees, but potentially entire divisions within the company. Fostering a healthy sense of internal competition exercises the social influence factor to appeal to each employee’s desire to succeed in a team cause and refrain from becoming the weakest link.
Additionally, this approach appeals to attitude, response efficacy and response cost factors within participants, as the prospect of a more personally, rather than organizationally-relevant reward enhances likelihood of cybersecurity compliance. In such a system of positive reinforcement, intelligence gained via use of behavioral conditioning technology would be leveraged toward ranking of most to least compliant amongst organizational divisions, with the most compliant division receiving a specified reward, such as a catered lunch or other group function.
The rationale behind this concept is that the monetary cost of such a reward system far outweighs that of security breach cleanup, damage to company reputation, legal expenses, etc., simultaneously boosting employee efforts toward organizational cybersecurity compliance in a proactive, versus reactive manner.
If your organization is caught in the endless churn of information security awareness education that goes no further than the classroom, you’d be well-advised to consider incorporation of these methods into your education practices. In doing so, you’ll effectively revolutionize your company’s educational landscape, fostering compliance through hands-on application of principles and the prevailing desire to succeed as a team.