Security awareness is a joke
All organisations rely heavily on the internet, investing significant resources as a means to compete in today’s global marketplace.
This investment in the internet, however, exposes organisations to risks and threats that result in major losses such as financial, intellectual property and reputation.
To protect from these adverse risks and threats, organisations often resort to security technologies implemented to protect the organisation’s information, people, intellectual property and finances.
Technology alone isn’t the answer to addressing security within the organisation.
Technology, people and process are the three components necessary to address the increasing amount of risk associated with physical and cyber security.
Ironically, the area that is responsible for more security breaches than the other two is people. More than 50% of all breaches are because of human error or other insider threats.
Now, we all know that Security Awareness Training is the solution to this. Run a computer-based course with your staff and all of your problems are fixed. Right? – Wrong.
Security awareness training, whether it is run once a year to tick a compliance box or run continuously throughout the year only addresses one small section of the problem.
When most people accidentally click a phishing email, what is the first thing they do? They delete it.
Who is the first person the CEO calls when a breach has occurred? The lawyers, asking “Do we have to report this? “And “What are the consequences if we don’t?”
What we really want is to address how people behave and the culture that they work in.
We need to look at how people react to certain circumstances, stimuli, and certain situations. Knowledge/awareness alone won’t change an organisation’s risk profile. Just because someone has knowledge doesn’t mean that they will do the right thing. If their attitude is wrong, or the corporate culture is bad then their behaviour will be in conflict with their knowledge.
Behavioural change comes via knowledge through attitude, impacted by corporate culture to behaviour.
What’s even worse with knowledge/awareness alone, there is no way to measure the success of the campaign. How can you measure your security awareness training programs return on investment when you have no metrics against how people react, respond, think, or feel?
To truly address the people component of security, measurements against attitude, behaviour, culture, and knowledge need to be made.
Until we all take Security Behavioural Programs seriously, where continuous measurements, refocusing, attitudinal encouragement and a focus towards positive culture based behaviour, human beings will continue to represent a significant component of security breaches.