How effective are current security awareness campaigns? According to recent research, not very. A 2014 Google study of phishing activity via Google forms found success rates ranging from 45 percent for well-crafted forms all the way down to 3 percent for poorly worded forms that should have never fooled anyone. Alan Paller, director of research at the SANS Institute, reportedly said that “95 percent of all attacks on enterprise networks are the result of successful spear phishing.” And Kevin Mitnick, the chief hacking officer at KnowBe4, recently summarized the state of the human firewall with this somber statement: “Even after 20 years, social engineering [e.g., phishing] is still the easiest way into a target’s network and systems, and it’s still the hardest attack to prevent.”
Current Awareness Programs Are Lacking
The good news is that awareness training has become a burgeoning field within the information security services industry, as evidenced by Gartner’s release of its first “Magic Quadrant for Security Awareness Computer-Based Training Vendors” report, which analyzed programs from 19 vendors. The bad news is that the majority of the strategies used in corporate security awareness campaigns today still follow the same old approach, with an IT person looking down at users and telling them they’re wrong for behaving in a certain manner.
What many people responsible for security awareness campaigns seem to have forgotten — or perhaps never really learned — is that this entire domain is not about IT; it is about human behaviors (externally visible) and the underlying human psychology that drives such behaviors (internal to each employee). Laura Bell, founder of SafeStack, recently summarized the state of security awareness today: “If you want a bit of fun, please go and Google ‘information security awareness posters,’ and go and see what the world has to offer us. … These do not work. This is not how humans learn. We’ve forgotten about the entire world of education, but we’ve found clip art.”
We have to do better. The security and privacy of the data entrusted in all of us depends on it. “A shift in corporate culture toward an environment that values data privacy and security is imperative,” Larry Ponemon, chairman and founder of Ponemon Institute, wrote earlier this year. “Focus on changing people and changing behaviors toward the belief that protecting company data is everyone’s responsibility.”
Noteworthy Behavioral Science Strategies
What does an effective behavior changing campaign look like? We can take inspiration from other disciplines:
- In 2014, Public Health England launched a campaign to increase handwashing among the public. Its main weapon in changing human behavior was the visualization of bacteria on the fingers of a hand after handling raw chicken, touching an old dishcloth, using the bathroom and cleaning a kitchen surface that was used to prepare raw meat.
- The importance of framing one’s message for the audience cannot be overstated. In 2013, the U.K. tested some new language aimed at improving organ donor registration. The addition of this one-line, two-sentence statement was selected as the winner, projected to boost registration by an extra 96,000 participants, or 10 percent, each year: “If you needed an organ transplant, would you have one? If so, please help others.”
- Can a country increase its tax revenue just by using the right wording? In a research paper titled “The Behavioralist As Tax Collector: Using Natural Field Experiments to Enhance Tax Compliance,” the U.K. tax collection authority tested the effectiveness of message framing on late taxpayers. They sent one of five different wordings to 100,000 individual taxpayers and measured the impact of each message. Can you spot the winner?
- Basic norm: “Nine out of 10 people pay their tax on time.”
- Country norm: “Nine out of 10 people in the U.K. pay their tax on time.”
- Minority norm: “Nine out of 10 people in the U.K. pay their tax on time. You are currently in the very small minority of people who have not paid us yet.”
- Gain: “Paying tax means we all gain from vital public services like the NHS, roads and schools.”
- Loss: “Not paying tax means we all lose out on vital public services like the NHS, roads and schools.”
The winning phrase was the minority norm message. It generated an extra £2.367 million (approximately $3.76 million) in taxes paid in just 23 days.
Governments and businesses have already realized the value of properly targeted messages. The U.K. government leveraged the services of the CGI Group, an IT and business process service company, to achieve its aims. Here are some of the key lessons from the company’s issue paper, “Using Behavioral Sciences to Improve Government Debt Collection“:
- People are heavily influenced by who is communicating with them.
- People put undue weight on recency.
- Most people will do what others do.
- People are strongly influenced by others “like them.”
- Personal messages are more effective.
- People are inclined to follow preset options.
- People are drawn to things that are novel and relevant.
- People tend to behave consistently with their public promises.
- Most people want to do the right thing.
Applying Lessons to Security Awareness Campaigns
Are your current security awareness campaigns leveraging these insights from behavioral science? How can you apply these concepts to your next awareness campaign? If you still run campaigns in-house, here are some suggestions:
- Move the responsibility for planning, deploying and reviewing your next information security campaign from IT to either the human resources or marketing department, or a special-purpose ad hoc unit with leadership from both of those groups. Provide this team with access to subject matter expertise from the ranks of IT security. As Kai Roer, creator of the Security Culture Framework, said recently in an interview, security awareness programs “fail because information security people do not understand how people function.” Get awareness out of IT.
- Start quantifying the risks that certain classes of employees and/or actions pose to your organization. Use this information to guide your investment of time and resources into small-scale, targeted security awareness campaigns. Could your campaign have stopped or reduced the hundreds of millions of dollars stolen using a malware and phishing campaign? Could it have mitigated the spread and impact of a targeted attack such as Dyre Wolf?
- Start measuring the effectiveness of your information security awareness campaigns. Have discussions with people from HR and marketing about developing better metrics for quantifying results. Perform pretests and post-tests, or at the very least, survey some of your participants after each campaign to determine what worked and what didn’t. Seek to improve with each new initiative. For an initial set of metrics to start with, visit the SANS metrics page.
- Your goal should be to effect long-term change in a majority of your workforce. This will likely require you to evolve and adapt your messaging and your approach as your employees’ knowledge and behavior improves. Roer said it best in his interview: “If it does not get you the results you need, get rid of it and try something else.”
There are ways of communicating risks and nudging behaviors. Just because we spent the past 20 years doing it poorly doesn’t mean we have to spend another 20 continuing down the same mind-numbing path filled with scary posters and boring awareness videos. Let’s chart a better course forward, one well-crafted message at a time.