How effective are current security awareness campaigns? According to recent research, not very. A 2014 Google study of phishing activity via Google forms found success rates ranging from 45 percent for well-crafted forms all the way down to 3 percent for poorly worded forms that should have never fooled anyone. Alan Paller, director of research at the SANS Institute, reportedly said that “95 percent of all attacks on enterprise networks are the result of successful spear phishing.” And Kevin Mitnick, the chief hacking officer at KnowBe4, recently summarized the state of the human firewall with this somber statement: “Even after 20 years, social engineering [e.g., phishing] is still the easiest way into a target’s network and systems, and it’s still the hardest attack to prevent.”

Current Awareness Programs Are Lacking

The good news is that awareness training has become a burgeoning field within the information security services industry, as evidenced by Gartner’s release of its first “Magic Quadrant for Security Awareness Computer-Based Training Vendors” report, which analyzed programs from 19 vendors. The bad news is that the majority of the strategies used in corporate security awareness campaigns today still follow the same old approach, with an IT person looking down at users and telling them they’re wrong for behaving in a certain manner.

What many people responsible for security awareness campaigns seem to have forgotten — or perhaps never really learned — is that this entire domain is not about IT; it is about human behaviors (externally visible) and the underlying human psychology that drives such behaviors (internal to each employee). Laura Bell, founder of SafeStack, recently summarized the state of security awareness today: “If you want a bit of fun, please go and Google ‘information security awareness posters,’ and go and see what the world has to offer us. … These do not work. This is not how humans learn. We’ve forgotten about the entire world of education, but we’ve found clip art.”

We have to do better. The security and privacy of the data entrusted in all of us depends on it. “A shift in corporate culture toward an environment that values data privacy and security is imperative,” Larry Ponemon, chairman and founder of Ponemon Institute, wrote earlier this year. “Focus on changing people and changing behaviors toward the belief that protecting company data is everyone’s responsibility.”

Noteworthy Behavioral Science Strategies

What does an effective behavior changing campaign look like? We can take inspiration from other disciplines:

  1. In 2014, Public Health England launched a campaign to increase handwashing among the public. Its main weapon in changing human behavior was the visualization of bacteria on the fingers of a hand after handling raw chicken, touching an old dishcloth, using the bathroom and cleaning a kitchen surface that was used to prepare raw meat.
  2. The importance of framing one’s message for the audience cannot be overstated. In 2013, the U.K. tested some new language aimed at improving organ donor registration. The addition of this one-line, two-sentence statement was selected as the winner, projected to boost registration by an extra 96,000 participants, or 10 percent, each year: “If you needed an organ transplant, would you have one? If so, please help others.”
  3. Can a country increase its tax revenue just by using the right wording? In a research paper titled “The Behavioralist As Tax Collector: Using Natural Field Experiments to Enhance Tax Compliance,” the U.K. tax collection authority tested the effectiveness of message framing on late taxpayers. They sent one of five different wordings to 100,000 individual taxpayers and measured the impact of each message. Can you spot the winner?
    • Basic norm: “Nine out of 10 people pay their tax on time.”
    • Country norm: “Nine out of 10 people in the U.K. pay their tax on time.”
    • Minority norm: “Nine out of 10 people in the U.K. pay their tax on time. You are currently in the very small minority of people who have not paid us yet.”
    • Gain: “Paying tax means we all gain from vital public services like the NHS, roads and schools.”
    • Loss: “Not paying tax means we all lose out on vital public services like the NHS, roads and schools.”

The winning phrase was the minority norm message. It generated an extra £2.367 million (approximately $3.76 million) in taxes paid in just 23 days.

Key Takeaways

Governments and businesses have already realized the value of properly targeted messages. The U.K. government leveraged the services of the CGI Group, an IT and business process service company, to achieve its aims. Here are some of the key lessons from the company’s issue paper, “Using Behavioral Sciences to Improve Government Debt Collection“:

  • People are heavily influenced by who is communicating with them.
  • People put undue weight on recency.
  • Most people will do what others do.
  • People are strongly influenced by others “like them.”
  • Personal messages are more effective.
  • People are inclined to follow preset options.
  • People are drawn to things that are novel and relevant.
  • People tend to behave consistently with their public promises.
  • Most people want to do the right thing.

Applying Lessons to Security Awareness Campaigns

Are your current security awareness campaigns leveraging these insights from behavioral science? How can you apply these concepts to your next awareness campaign? If you still run campaigns in-house, here are some suggestions:

  1. Move the responsibility for planning, deploying and reviewing your next information security campaign from IT to either the human resources or marketing department, or a special-purpose ad hoc unit with leadership from both of those groups. Provide this team with access to subject matter expertise from the ranks of IT security. As Kai Roer, creator of the Security Culture Framework, said recently in an interview, security awareness programs “fail because information security people do not understand how people function.” Get awareness out of IT.
  2. Start quantifying the risks that certain classes of employees and/or actions pose to your organization. Use this information to guide your investment of time and resources into small-scale, targeted security awareness campaigns. Could your campaign have stopped or reduced the hundreds of millions of dollars stolen using a malware and phishing campaign? Could it have mitigated the spread and impact of a targeted attack such as Dyre Wolf?
  3. Start measuring the effectiveness of your information security awareness campaigns. Have discussions with people from HR and marketing about developing better metrics for quantifying results. Perform pretests and post-tests, or at the very least, survey some of your participants after each campaign to determine what worked and what didn’t. Seek to improve with each new initiative. For an initial set of metrics to start with, visit the SANS metrics page.
  4. Your goal should be to effect long-term change in a majority of your workforce. This will likely require you to evolve and adapt your messaging and your approach as your employees’ knowledge and behavior improves. Roer said it best in his interview: “If it does not get you the results you need, get rid of it and try something else.”

There are ways of communicating risks and nudging behaviors. Just because we spent the past 20 years doing it poorly doesn’t mean we have to spend another 20 continuing down the same mind-numbing path filled with scary posters and boring awareness videos. Let’s chart a better course forward, one well-crafted message at a time.

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…