Building the human firewall: Navigating behavioral change in security awareness and culture

The
latest
findings
of
the

IBM
X-Force®
Threat
Intelligence
Index
report
highlight
a
shift
in
the
tactics
of
attackers.
Rather
than
using
traditional
hacking
methods,
there
has
been
a
significant
71%
surge
in
attacks
where
criminals
are
exploiting
valid
credentials
to
infiltrate
systems.
Info
stealers
have
seen
a
staggering
266%
increase
in
their
utilization,
emphasizing
their
role
in
acquiring
these
credentials.
Their
objective
is
straightforward:
exploit
the
path
of
least
resistance,
often
through
unsuspecting
employees,
to
obtain
valid
credentials.

Organizations
have
spent
millions
developing
and
implementing
cutting-edge
technologies
to
bolster
their
defenses
against
such
threats,
and
many
already
have
security
awareness
campaigns,
so
why
are
we
failing
to
stop
these
attacks?

Challenges
of
traditional
security
awareness
programs

Most
security
awareness
programs
today
provide
employees
with
information
they
need
about
handling
data,
GDPR
rules
and
common
threats,
such
as
phishing.

However,
there
is
one
major
weakness
with
this
approach:
the
programs
don’t
consider
human
behavior.
They
typically
follow
a
one-size-fits-all
approach,
with
employees
completing
annual
generic
computer-based
training
with
some
slick
animation
and
a
short
quiz.

While
this
provides
necessary
information,
the
rushed
nature
of
the
training
and
lack
of
personal
relevance
often
results
in
employees
forgetting
the
information
within
just
4-6
months.
This
can
be
explained
by
Daniel
Kahneman’s
theory
on
human
cognition.
According
to
the
theory,
every
individual
has
a
fast,
automatic,
and
intuitive
thought
process,
called
System
1.
People
also
have
a
slow,
deliberate
and
analytical
thought
process,
called
System
2.

Traditional
security
awareness
programs
primarily
target
System
2,
as
the
information
needs
to
be
rationally
processed.
However,
without
sufficient
motivation,
repetition
and
personal
significance,
the
information
usually
goes
in
one
ear
and
out
the
other.

It
is
crucial
to
understand
employees’
behaviors

Nearly
95%
of
human
thinking
and
decision
making
is
controlled
by
System
1,
which
is
our
habitual
way
of
thinking.
Humans
are
faced
with
thousands
of
tasks
and
stimuli
per
day,
and
a
lot
of
our
processing
is
done
automatically
and
unconsciously
through
biases
and
heuristics.
The
average
employee
works
on
autopilot,
and
to
ensure
that
cybersecurity
issues
and
risks
are
ingrained
in
their
day-to-day
decisions,
we
need
to
design
and
build
programs
that
truly
understand
their
intuitive
way
of
working.

To
understand
human
behavior
and
how
to
change
it,
there
are
a
few
factors
we
must
assess
and
measure,
supported
by
the
COM-B
Behavior
Change
Wheel.

• First,
  we
  need
  to
  know
  employees’
  
  capabilities.
  This
  refers
  to
  their
  knowledge
  and
  skills
  to
  engage
  in
  safe
  online
  practices,
  such
  as
  creating
  strong
  passwords
  and
  recognizing
  phishing
  attempts.
• Then,
  we
  need
  to
  identify
  whether
  there
  are
  sufficient
  
  opportunities
  for
  them
  to
  learn,
  including
  the
  availability
  of
  resources
  such
  as
  training
  programs,
  policies
  and
  procedures.
• Lastly,
  and
  most
  importantly,
  we
  need
  to
  understand
  the
  level
  of
  employee
  
  motivation
  and
  their
  willingness
  and
  drive
  to
  prioritize
  and
  adopt
  secure
  behaviors.

Once
we
understand
and
evaluate
these
three
areas,
we
can
pinpoint
areas
for
behavioral
change
and
design
interventions
that
target
employees’
intuitive
behaviors.
Ultimately,
this
approach
aids
organizations
in
fostering
a
first
line
of
defense
through
the
development
of
a
more
cyber
aware
workforce. 

We
need
to
foster
a
positive
cybersecurity
culture

Once
the
root
causes
of
behavioral
issues
are
identified,
attention
naturally
shifts
toward
building
a
security
culture.
The
prevailing
challenge
in
cybersecurity
culture
today
is
its
foundation
in
fear
of
error
and
wrongdoing.
This
mindset
often
fosters
a
negative
perception
of
cybersecurity,
resulting
in
low
completion
rates
for
training
and
minimal
accountability.
This
approach
requires
a
shift,
but
how
do
we
accomplish
it?

First
and
foremost,
we
must
reconsider
our
approach
to
initiatives,
moving
away
from
a
solely
awareness-focused,
compliance-driven
model.
While
security
awareness
training
remains
vital
and
should
not
be
overlooked,
we
must
diversify
our
educational
methods
to
foster
a
more
positive
culture.
Alongside
broad
organizational
training,
we
should
embrace
role-specific
programs
that
incorporate
experiential
learning
and
gamification,
such
as
the
engaging

cyber
ranges
facilitated
by
IBM
X-Force.
Furthermore,
organization-wide
campaigns
can
reinforce
the
notion
of
a
positive
culture,
involving
activities
like
establishing
a
network
of
cybersecurity
champions
or
hosting
awareness
months
with
diverse
events.

Once
these
initiatives
are
selected
and
implemented
to
cultivate
a
positive
and
robust
cybersecurity
culture,
it’s
imperative
that
they
receive
support
from
all
levels
of
the
organization,
from
senior
leadership
to
entry-level
professionals.
Only
when
there
is
a
unified,
affirmative
message,
can
we
truly
transform
the
culture
within
organizations.

If
we
don’t
measure
human
risk
reduction,
we
don’t
know
what
works

Now
that
we’ve
identified
the
behavioral
challenges
and
implemented
a
program
aimed
at
fostering
a
positive
culture,
the
next
step
is
to
establish
metrics
and
parameters
for
success.
To
gauge
the
effectiveness
of
our
program,
we
must
address
a
fundamental
question:
to
what
extent
have
we
mitigated
the
risk
of
a
cybersecurity
incident
stemming
from
human
error?
It’s
crucial
to
establish
a
comprehensive
set
of
metrics
capable
of
measuring
risk
reduction
and
overall
program
success.

Traditionally,
organizations
have
relied
on
methods
such
as
phishing
campaigns
and
proficiency
tests,
with
mixed
results.
One
modern
approach
is

risk
quantification,
a
method
that
assigns
a
financial
value
to
the
human
risk
associated
with
a
specific
scenario.
Integrating
such
metrics
into
our
security
culture
program
enables
us
to
assess
its
success
and
continuously
enhance
it
over
time.

Collaborate
with
IBM
and
build
the
human
firewall

The
shifting
landscape
of
cybersecurity
demands
a
comprehensive
approach
that
addresses
the
critical
human
factor.
Organizations
need
to
cultivate
a
positive
cybersecurity
culture
supported
by
leadership
engagement
and
innovative
initiatives.
This
needs
to
be
coupled
with
effective
metrics
to
measure
progress
and
demonstrate
the
value.

IBM
offers
a
range
of
services
to
help
our
clients
pivot
their
programs
from
awareness
to
focus
on
human
behavior.
We
can
help
you
assess
and
tailor
your
organization’s
interventions
to
your
employees’
motivations
and
habits,
and
help
you
foster
a
resilient
first
line
of
defense
against
emerging
threats
by
empowering
every
individual
to
be
a
proactive
guardian
of
cybersecurity.

Discover
your
cybersecurity
solution