June 5, 2017 By Reto Zeidler 2 min read

While the origin of the recent WannaCry exploit is still under investigation, there is no doubt that humans remain the weakest link in the chain of defense against cyberattacks.

According to the IBM X-Force Threat Intelligence Index, human factors play a major role in various types of attacks. While it’s easy to blame users, many overlook the fact that these individuals can be turned into a valuable asset for an organization’s defense capabilities. A well-aligned, orchestrated security awareness program can unlock this potential, but its success depends on practices beyond the typical security domain — namely, psychology, communication and culture.

From Guidelines to Behavior Change

The traditional approach is to define an acceptable use policy and require users to sign it. This may help to transfer some responsibility to the users, but it does not make an organization more secure at the end of the day. Making users part of your defense requires more than a warning finger; it’s about changing behavior.

While the elements of a security awareness program depend on an organization’s structure, business and culture, human behavior change is based on fundamental principles. The first tenet urges security leaders to include users in the mission instead of treating them as a risk. To be part of the mission, individuals need to understand it, recognize risky situations and react in a proper manner.

Furthermore, successful awareness programs involve other — such as human resources, legal, marketing and physical security — that often have mutual interests. These departments can collaborate to make security awareness efforts mandatory and contribute valuable resources such as funding and distribution tools. Human resources can build security awareness into onboarding and performance management processes, for example.

Keep Your Security Awareness Program Focused

Human factors contribute in many ways to security risks, from dealing with phishing emails to handling sensitive data and interacting with other company assets. It is simply impossible to address all these issues at once. Instead, security leaders should focus on the most severe behaviors from a risk management perspective.

This approach will help to keep messages clear and prevent users from viewing security as an annoyance. Users are confronted with many daily obligations and simply don’t have time to wait for another set of tasks. Therefore, you should split your messages into small portions, assign tasks that take no longer than 15 minutes and distribute the content over a period of time. This approach also makes it easier to keep software up to date.

People consume information in different ways depending on their background, profession and generation. Successful programs incorporate a variety of channels to make the message stick, including newsletters, posters, games, news feeds, blogs, simulated phishing attacks and more. In general, the most participatory efforts appear to have the most success.

Measurement Is Key

If you invest time and money to strengthen your security program, you should be able to report its effectiveness to management and stakeholders. The only way to do this is to collect metrics in advance of awareness efforts. Without this baseline, it is hard to demonstrate success.

Security awareness metrics can include surveys to gauge attitudes and more statistical values such as results from simulated phishing attacks before and after awareness training. It might also be helpful to examine the number of security-related incidents. Measurable improvements, in any aspect of security, will help justify the program and, eventually, obtain additional funding and support.

Watch the On-Demand Webinar: Orchestrate Your Security Defenses

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today