June 5, 2017 By Reto Zeidler 2 min read

While the origin of the recent WannaCry exploit is still under investigation, there is no doubt that humans remain the weakest link in the chain of defense against cyberattacks.

According to the IBM X-Force Threat Intelligence Index, human factors play a major role in various types of attacks. While it’s easy to blame users, many overlook the fact that these individuals can be turned into a valuable asset for an organization’s defense capabilities. A well-aligned, orchestrated security awareness program can unlock this potential, but its success depends on practices beyond the typical security domain — namely, psychology, communication and culture.

From Guidelines to Behavior Change

The traditional approach is to define an acceptable use policy and require users to sign it. This may help to transfer some responsibility to the users, but it does not make an organization more secure at the end of the day. Making users part of your defense requires more than a warning finger; it’s about changing behavior.

While the elements of a security awareness program depend on an organization’s structure, business and culture, human behavior change is based on fundamental principles. The first tenet urges security leaders to include users in the mission instead of treating them as a risk. To be part of the mission, individuals need to understand it, recognize risky situations and react in a proper manner.

Furthermore, successful awareness programs involve other — such as human resources, legal, marketing and physical security — that often have mutual interests. These departments can collaborate to make security awareness efforts mandatory and contribute valuable resources such as funding and distribution tools. Human resources can build security awareness into onboarding and performance management processes, for example.

Keep Your Security Awareness Program Focused

Human factors contribute in many ways to security risks, from dealing with phishing emails to handling sensitive data and interacting with other company assets. It is simply impossible to address all these issues at once. Instead, security leaders should focus on the most severe behaviors from a risk management perspective.

This approach will help to keep messages clear and prevent users from viewing security as an annoyance. Users are confronted with many daily obligations and simply don’t have time to wait for another set of tasks. Therefore, you should split your messages into small portions, assign tasks that take no longer than 15 minutes and distribute the content over a period of time. This approach also makes it easier to keep software up to date.

People consume information in different ways depending on their background, profession and generation. Successful programs incorporate a variety of channels to make the message stick, including newsletters, posters, games, news feeds, blogs, simulated phishing attacks and more. In general, the most participatory efforts appear to have the most success.

Measurement Is Key

If you invest time and money to strengthen your security program, you should be able to report its effectiveness to management and stakeholders. The only way to do this is to collect metrics in advance of awareness efforts. Without this baseline, it is hard to demonstrate success.

Security awareness metrics can include surveys to gauge attitudes and more statistical values such as results from simulated phishing attacks before and after awareness training. It might also be helpful to examine the number of security-related incidents. Measurable improvements, in any aspect of security, will help justify the program and, eventually, obtain additional funding and support.

Watch the On-Demand Webinar: Orchestrate Your Security Defenses

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today