At #teissLondon2018, Head of Consulting at teiss, Jeremy Swinfen Green, explained why employee cyber risk management has to go a lot further than "awareness training".
A lot of people feel that the solution to the problem of employees (or "carbon units" in IT-speak!) being a major cyber threat is to give them “awareness training” about cyber security.
That’s certainly part of the answer. But only part. That’s because most people won’t do what you tell them just because you tell them. And even fewer people are logical about how they behave. (Incidentally I dislike the phrase “awareness training” – awareness and training are in my view two very different things. We will come on to that.)
You need to treat the problem of employee cyber risk holistically. I believe there are at least eight separate things you need to think about:
- Decide what information to protect
- Decide how to protect it
- Write readable policies that explain how and why people should behave
- Educate people about the rules in the policies
- Keep reminding them of the rules
- Motivate them to behave safely
- Reduce cultural disincentives
- Monitor, measure and adapt
Eight separate things: that sounds like a lot. But it isn’t actually. And you are probably doing many of these things already – although perhaps not coordinating them.
It does help though if you are going to do all of these eight things efficiently to work with some other people within your organisation.
Let’s go through them one by one.
Prioritise what to protect
The first thing to do is, fairly obviously, to decide what you want to protect. I don’t have to tell you that you can’t protect everything.
Classifying information properly can take some effort. A fairly new British Standard, “BS10010 information classification, marking and handling” is a good place to start.
Once you have decided what to protect, you need to decide how to protect it.
The usability of security process is the Cinderella of cyber security. Your illogical and disobedient colleagues, or most of them anyway, don’t work in security. They have a day job and may well think that security (aka the Department of “No”) just gets in the way of them getting things done.
We know different of course. But it is very important to ensure that security processes are as invisible as possible so that people can comply with security requirements without effort. Part of that is addressing jargon. Who knows what “encryption” means? Of course you do. But why should you assume that all your colleagues understand what it means?
Now you know how you want people to behave you need to explain that to them. You will probably want to do this with some form of written policy.
Like the security processes, this policy document needs to be usable. It should be simple and jargon free, and include the WHY as well as the HOW of safe behaviour.
Think about the purpose of this document. Is it to cover your backside? Or is it to change people’s behaviour? It should be the latter. And if it is, then it really shouldn’t be longer than a couple of sides of A4 with references to places or people where more detailed explanation can be found if necessary.
Training and knowledge transfer
So you have decided what to protect, decided how to protect it, and codified the rules you want people to follow.
We all know that isn’t enough for your disobedient and illogical colleagues. You need to transfer this information to them, in a way that they understand and which will stick in their minds for longer than the training session lasts.
This is difficult. Computer based training (CBT) may be part of the answer. But it is highly unlikely to be the whole answer. There are lots of different types of training you can give people – role playing, discussions, workshops, story-telling using video and cartoons. CBT is a good way of testing intellectual understanding. But it isn’t a great way of transferring knowledge. And it isn’t a great way of measuring likely future behaviour either.
By the way, training is different from awareness. Training is about knowledge transfer. Awareness is about reminding people of what they know. So the phrase “awareness training” doesn’t really make sense!
Also of interest: Is training just decoration?
To influence behaviour you need to go beyond transferring knowledge. You need to ensure that people remember that knowledge.
Most people have stressful jobs, jobs where they are focussed on today’s problem rather than on something you told them a month ago. So you need to maintain awareness. There is nothing magic about doing this: it’s just a communications exercise. It’s fine to focus intensely on cyber security every now and then. But you need to make sure the message is always out there. And that means making sure it doesn’t become invisible through familiarity.
Your external communications team may well be better at doing this than your internal comms team!
Motivating behavioural change
You have explained to people how they should behave. And you constantly remind them. Yet your disobedient and illogical colleagues still behave unsafely. Why?
Well, why do you speed when you are driving? You know the speed limit. And you are constantly reminded of it. But you still speed. Why? Because you are not motivated to keep within the limit. Your urgency or need for excitement outweighs the potential for punishment. Or perhaps you think the limit is pointless (it’s the middle of the night and there are no other cars around). Or you hate authority. Or, or or….
Motivating people to behave safely is probably the hardest part of a CISO’s job. And perhaps the most important.
So how can you motivate people? Well, there are some good lessons from marketing. Such as these principles of persuasion from American marketing psychologist Robert Cialdini. In his book Influence: the Psychology of Persuasion he suggests that there are six main drivers of behavior:
- Social proof
- Commitment and consistency
Marketers have known about these for years! Security professionals can use them too. Marketing is all about changing people’s behavior. And as a security professional that is what you need to do.
Also of interest: Nine steps to effective training
Strengthening security culture
Motivation is a delicate thing though. It is easily damaged in the wrong climate. For instance I may be mustard keen to avoid a data breach by taking those sensitive documents out of the business on an unencrypted USB stick. But as soon as I see the boss doing it, well, I realise that it isn’t so very important to be cyber safe.
As well as training, awareness campaigns and motivational incentives, organisational culture can be strengthened by:
- Addressing the behaviour of influencers (who may or may not be senior: not all organisational culture comes from the top)
- Monitoring, measuring and publicising behaviour (good and bad)
- Creating strong teams with shared goals
- Ensuring work systems such as performance management and promotion are aligned with security goals
Of course CISOs can rarely change organisational culture. But they can identify culture, as expressed by behaviour and beliefs, that is damaging to security and work with other parts of the organisation to fix the problem.
Measure and monitor
And to spot damaging behaviour and beliefs you need to have monitoring in place.
Of course you need to be aware of issues around employee privacy. And you need to be aware of the problems with measuring something as subtle as culture. (For instance you have to be very careful how you ask people questions in surveys because they may well think they know the answers you want to hear.) But using a combination of techniques – surveys, focus groups, observation, behavioural measures - it is possible to measure an organisation’s culture.
It’s not easy!
Of course none of these things are particularly easy. And doing them all well is hard. But not impossible. Especially if you work with colleagues in marketing, HR, facilities management etc.
At TEISS one tool we use to achieve this holistic approach is our Internal cyber risk maturity matrix. This asks questions about five different areas of internal cyber security – governance, strategy, process, knowledge, and motivation.
Questions posed within the matrix help you decide what level of maturity you are at in these five areas:
- Ignoring: The effect of human factors on cyber security is not recognized or is ignored
- Accepting: The effects of human factors on cyber security are accepted as real but no significant attempt has been made to manage them proactively – most activity in the area is reactive
- Experimenting: Processes are being put in place to allow the proactive and repeatable management of internal cyber security risks – only parts of the organization are involved however
- Establishing: An approach to developing managed processes to control internal cyber risks of all types across the whole organization is in place
- Prioritizing: the approach to managing internal cyber risk is sustained over time with different levels of resource allocated depending on different priorities
- Evolving: The process of managing internal cyber risk allows for the continuous development and optimization of both this model and the way that internal cyber risk is managed
The matrix will help you create a roadmap to a achieving safer behavior, defining where you are now and identifying the steps you will need to take to get where you want to be.
Of course this sort of approach needs to be combined with methods designed to evaluate technological defences and identify risks deriving from weak processes. But if the human factors that contribute to cyber security are ignored, then no amount of software or process redesign will keep you safe.
Humans really are the “weakest link” in the cyber security chain. But with the right approach, they can be turned into the strongest part of your cyber defences.