While the origin of the recent WannaCry exploit is still under investigation, there is no doubt that humans remain the weakest link in the chain of defense against cyberattacks.

According to the IBM X-Force Threat Intelligence Index, human factors play a major role in various types of attacks. While it’s easy to blame users, many overlook the fact that these individuals can be turned into a valuable asset for an organization’s defense capabilities. A well-aligned, orchestrated security awareness program can unlock this potential, but its success depends on practices beyond the typical security domain — namely, psychology, communication and culture.

From Guidelines to Behavior Change

The traditional approach is to define an acceptable use policy and require users to sign it. This may help to transfer some responsibility to the users, but it does not make an organization more secure at the end of the day. Making users part of your defense requires more than a warning finger; it’s about changing behavior.

While the elements of a security awareness program depend on an organization’s structure, business and culture, human behavior change is based on fundamental principles. The first tenet urges security leaders to include users in the mission instead of treating them as a risk. To be part of the mission, individuals need to understand it, recognize risky situations and react in a proper manner.

Furthermore, successful awareness programs involve other — such as human resources, legal, marketing and physical security — that often have mutual interests. These departments can collaborate to make security awareness efforts mandatory and contribute valuable resources such as funding and distribution tools. Human resources can build security awareness into onboarding and performance management processes, for example.

Keep Your Security Awareness Program Focused

Human factors contribute in many ways to security risks, from dealing with phishing emails to handling sensitive data and interacting with other company assets. It is simply impossible to address all these issues at once. Instead, security leaders should focus on the most severe behaviors from a risk management perspective.

This approach will help to keep messages clear and prevent users from viewing security as an annoyance. Users are confronted with many daily obligations and simply don’t have time to wait for another set of tasks. Therefore, you should split your messages into small portions, assign tasks that take no longer than 15 minutes and distribute the content over a period of time. This approach also makes it easier to keep software up to date.

People consume information in different ways depending on their background, profession and generation. Successful programs incorporate a variety of channels to make the message stick, including newsletters, posters, games, news feeds, blogs, simulated phishing attacks and more. In general, the most participatory efforts appear to have the most success.

Measurement Is Key

If you invest time and money to strengthen your security program, you should be able to report its effectiveness to management and stakeholders. The only way to do this is to collect metrics in advance of awareness efforts. Without this baseline, it is hard to demonstrate success.

Security awareness metrics can include surveys to gauge attitudes and more statistical values such as results from simulated phishing attacks before and after awareness training. It might also be helpful to examine the number of security-related incidents. Measurable improvements, in any aspect of security, will help justify the program and, eventually, obtain additional funding and support.

Watch the On-Demand Webinar: Orchestrate Your Security Defenses

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…