The second week of National Cyber Security Awareness Month (NCSAM), held every October, focused on creating a culture of cybersecurity at work. The aim is to highlight the current threats that organizations are facing and promote a security culture that will help employees stay safe online and improve the organization’s overall security stance.

Security Intelligence asked Mike Saurbaugh, a faculty member with IANS Research, a course developer for Excelsior College and an independent consultant, to explain the importance of raising security awareness in an organization. He also gave his top tips for better engaging employees in an awareness program.

The Importance of Security Awareness

Saurbaugh stressed that developing a comprehensive security awareness program should not be considered a destination, but a journey. It requires dedicated oversight and should be ongoing, with engaging exercises. It should certainly not be seen only as part of a compliance or an audit initiative since that is likely to result in ticking off checklists rather than implementing any lasting behavioral change.

Executive buy-in is essential to drive a culture of security throughout an organization. A top-down approach will help to underline the importance of security for the organization, but it will still be necessary to explain to employees why security awareness is needed, what the main risks are and how reducing risk will help the business. Employees need to understand the part they play in achieving a common security vision — but in an engaging way, not one that is condescending or demeaning. Threatening repercussions such as termination if an employee fails should be avoided because this creates mistrust and fear.

The Top Five Tips

The following are a few of Saurbaugh’s top tips for engaging employees with a security awareness program.

1. Find the Motivation

Security awareness is important for all aspects of life, not just in the workplace. This is especially true in today’s always-on culture, where people are routinely exposed to phishing, password challenges, data theft and other social engineering tactics. By raising awareness of security issues and concerns in a wider context, such as how to better protect their families and personal finances, employees will be more engaged and their emotional interest will be sparked.

2. Gamification

Creating an air of healthy competition will raise interest in the awareness program, especially where departments are encouraged to compete against each other for the top spot based on factors such as which caught the most phishing emails or reported the most suspected incidents.

Employees will be more engaged if the program is fun to take part in. For example, by using gamification techniques for personnel in security operations centers, not only do participants have fun while honing important incident response skills, but they will become more adept at protecting the organization in the process.

3. Form Security Awareness Allies

Promoting security awareness doesn’t have to be the sole responsibility of the security team, which is often understaffed and time constrained. By getting other departments or branch locations involved, individuals outside of security can help to be the eyes, ears and voice of the program.

4. Public Recognition

Publicly recognizing success is key to making employees feel valued and can easily be done via the intranet, newsletters, internal marketing materials and general recognition from management. These methods may be preferred over monetary incentives such as gift cards or extra paid time off. Employees will come to expect that such rewards and may lose interest should they be suspended, perhaps because the budget for such incentives is withdrawn.

5. Keep It Simple and Aligned to the Business

While crucial to the business, security is certainly not the main reason most employees were hired. Therefore, focus on specific incremental goals rather than trying to be all-encompassing and attempting to achieve too much too fast. Identify the behaviors the organization wants to promote and align this to business results so that employees can understand the value security has in protecting the overall organization.

Moving Forward

Finally, Saurbaugh points to two nontraditional resources that will help security teams better understand how to drive behavioral change as applied to elements of the awareness program. First, the book “Influencer: The New Science of Leading Change” stresses the need to clarify measurable results, focus on vital behaviors and use sources of influence in order to drive change.

BJ Fogg’s Behavioral Model considers the causes of behavioral change and suggests that three elements — the motivation, the ability and a trigger — must all converge in order to achieve the desired change. While not directly related to security, these two resources will be a valuable aid for better understanding behavior and how the need to drive change will impact the success of the security awareness program.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read