Author: Christina Lekati (about Christina)
There are times you can pick up good cybersecurity advice from the most unexpected places. One of them is the famous book “How To Win Friends and Influence People” by Dale Carnegie.
In this book, Dale Carnegie described the story of Mr. Johnston, a safety professional working for an engineering company. One of Mr. Johnston’s duties was to ensure that certain safety and security policies were met by the employees – for example, they were wearing their hard security helmets while on the job. His general approach to enforcing this policy, was to inform all employees that they had to wear their helmets as it was required by the company’s policies, and then to walk down the manufacturing floor to check who was complying with this policy by wearing the helmet, and who was not. When he saw employees not wearing it, he approached them, recited the policy, and demanded they put their helmet back on. But once Mr. Johnston returned to his office, they took their helmets off.
Mr. Johnston was aware of this practice, but was unsure on what he was supposed to do to make employees comply. He returned to his office trying to understand why employees do not follow this simple security measure. What was wrong with these people?
One day he decided to try something new. He walked into the manufacturing floor once again, but this time he decided to tune off his authoritative attitude, and approach the employees in a different way. He asked them why they were not wearing their helmets, and whether they were comfortable. He started getting useful feedback on minor adjustments with significant impact that needed to be done on the helmets. But at the same time, he had the opportunity to discuss with them and let them know that the helmet policy was in place for their own safety, that it protects them, and it ensures the smooth operations of the company.
Employees started responding to this approach. The rates of compliance increased, and employees started to develop more understanding and a positive attitude towards these security measures. They also started accepting Mr. Johnston, whose job was to enforce the policy. Mr. Johnston’s new approach successfully changed the safety culture within his organization.
Many cybersecurity professionals find themselves in Mr. Johnston’s shoes. They have to assess and address the threats to information security, but they also have to ensure that the employees of their organization comply with the necessary security measures that involve them. At the same time, employees often hold opposing views on security controls. Measures that for a cybersecurity professional are necessary to improve safety and security, for employees are obtrusive mechanisms that take effort, time, and interfere with their productivity. Often, employees cannot see why they should comply with security policies and tend towards fostering a security-averse culture. The end result is shortcuts, resentment, and risky behaviour.
Cybersecurity professionals need to consider certain behavioural aspects if they want to effectively implement a security policy and foster a better cybersecurity culture. Understandably, this is a difficult and uncharted territory for many of them that have traditionally been technology focused. But as threat actors keep targeting and attacking humans, cybersecurity professionals must learn how to better communicate those threats to the employees, to ensure employees understand the risks and are able to protect their organization.
We must change the existing mentality in many organizations “it’s not if we will be attacked but when we will be attacked” to the mentality “it’s not when we will be attacked but how often we will be attacked”. Today, enterprise-wide, multi-layered cybersecurity is no longer a luxury but a necessity. In our current threat landscape, culture will play a significant role and will work either for, or against the cybersecurity goals of an organization. We have to look into how we can foster a culture that supports better cybersecurity practices. But remember: it is a two-way street. Like Stephen Covey’s famous quote states, you will have to “seek first to understand, and then to be understood”, just like Mr. Johnston did.
“The way things are done around here”
Before we delve into the “how”, we have to look into what we are trying to achieve, and the environment security professionals operate in, when it comes to culture.
By the definition given from the “Security Culture Framework”, when we refer to a security culture, we refer to the set of:
“the ideas, customs, and social behaviour of a particular people or society [i.e. employees in an organization] that allow them to be free from danger or threats.”
In other words, it refers to “the way things are done around here” when it comes to handling organizational assets, and the awareness that goes along with knowing the threats an employee might face in relation to the assets they handle. Employees do get targeted, and the effects of a successful attack can impact both the organization and the individuals who are exploited.
As long as managers and employees can provide access to systems, assets and high-value information, employees will become targets. The problem is that most of the time they either do not know it, or they do not believe it will happen to them. In some cases, they falsely believe that they are safe because of the security technology that the company has implemented, or that they would be able to recognize social engineering or a cyber-attack. Unfortunately, some of the social engineering attacks are designed to both bypass security technology and the employees’ cognitive filters. Therefore, being both proactive and consistent in terms of daily good security practices and complying with the security policies and procedures is crucial.
On the other hand, we need to remember that security professionals operate within a larger organizational environment. The development of cybersecurity culture will have to be integrated within the larger organizational environment and the already existing culture. This can be quite a challenge, especially in larger and more complex organizations. While security teams might have the noble intention of developing a cybersecurity mindset within their organisational culture, their efforts might get overshadowed by the rest of the organizational environment and its priorities.
Think of the size of your cybersecurity department in relation to the number and size of the other departments:
Now also consider that each department has its own goals, priorities, and “mini-culture”. Introducing new behaviours into these departments should be in alignment with this department’s goals. It is easy to see why this is not a simple endeavour. Security awareness training can significantly support, but will not build your security culture on its own. More factors come into play that shape the end result of behaviours within an organization. These factors include the support of the leadership and the stakeholders.
But let’s take this journey from the start …
What Behavioural Science Teaches Us About Changing Security Behaviour?
No existing model is good enough in showing us how to improve security and develop a cybersecurity culture. Most of the models do not factor in all the variables that are interplaying within a workplace, and therefore render themselves ineffective. These are the bad news. The good news is that they can still provide value. Taking a good look and interconnecting scientific models on behaviour change helps us build a better picture.
There is enough research indicating that the models that focus on positively enabling desirable cybersecurity behaviour are far more effective than behavioural models focusing on fear as a motivational factor for compliance with cybersecurity policies. Research has repeatedly proved that organizations are better off if they focus on encouraging active participation into cybersecurity-related matters that involve and affect employees, instead of simply enforcing compliance. Organizations need employees who can actively and wilfully use their “mental sensors” to identify suspicious behaviour, irregularities, and potential threats. They need employees who have the knowledge, skills and personal interest to step up and work in favour of their organization’s defensive cybersecurity.
So how can we enable them?
The Theory of Planned Behaviour (TPB) states that a person’s intention for an action (eg. to lock their screen while they are away) depends on three factors:
• The person’s attitude towards the behaviour.
Do employees believe that a certain action is significant enough and beneficial in some way? Or do they dislike it or feel that it is not important enough to spend time and effort on it? If employees have a positive attitude towards a specific cybersecurity habit, it is more likely to consider performing it, and then to actually do it. If, for example, they are not aware of insider threat cases in their industry and the harm they can cause, they might not feel that locking their screen before leaving their office is important, since they are not aware of any potential threats in their environment.
• The perceived norm.
How does the rest of their environment react to that specific action? Do they support it and view it in a positive light, ignore it, or dislike it? The way our social environment reacts to a specific behaviour has the power to either strengthen or weaken it. Particularly important are the reactions of their team, and the team’s leader(s).
• The perceived behavioural control.
Does the person feel able to perform this behaviour or is it too complicated for them to perform it?
At this point, we, the behaviouralists that work on supporting organizations to build their cybersecurity culture, meet with a paradox: the one of conflicting priorities. Many companies today have understood the importance of their people as an integral layer of security. People are able to detect threats, deter them, and report them to warn the rest of their organization. Companies that have understood that, often claim to support their employees in their efforts to maintain secure processes while conducting their day-to-day working responsibilities. But what they often do, is that they also give their employees mixed messages when it comes to selecting priorities. Will a traveling employee that is working on a time-sensitive project be given a small deadline extension in order to submit the files they have been working on from a secure connection? Or will they be pressured to transfer confidential files from any Wi-Fi network at an airport or cafeteria in order to meet their deadline and for the sake of speed?
We sometimes meet organizations that actively try to promote their cybersecurity culture, but unfortunately miss this one element: clear prioritization. They have invested in the education of their employees, streamlined some processes, and made some others accessible within the organization. But when their employees find themselves in a place where they have to choose between security or another priority, like speed or productivity, they often choose to act according to that other priority.
Why does that happen?
When we are faced with a prioritization dilemma, we usually go through a Cost, Risk & Benefit Analysis in our heads.
Complying with a security policy is costly in the sense that it requires some extra time and effort. At the same time, employees might feel that “cutting some corners” is not particularly risky, especially if they believe that a cyber-attack is something that will never happen to them (which is a common belief between inadequately trained employees). On the other hand, their productivity directly affects their evaluations, their bonuses, and potentially their employment status too. It is easy to see that the desire for productivity will be higher than the desire to follow security, simply because of the perceived costs and benefits.
The next thought that usually comes up in the employee’s head is of the type “how bad would it be if I skip this security process?” If they decide that non-compliance is alright given their circumstances, and they decide to test their theory, the first mistake has already been made. Chances are, that nothing bad might happen this one time. The feedback that the employee will get however, is that there is no harm to non-compliance, and they will be reinforced to repeat this behaviour again … and again … until a costly, and potentially very damaging incident occurs.
Let’s look into what produces this type of thinking over a different, more desired one.
Drivers of Non-Compliant Behaviour:
• Competing priorities.
The organizational leadership clearly values and supports productivity or other conflicting values over security – or does not clearly communicate and prioritize the significance of security.
• There is no justifiable reason to comply.
Many employees do not have a clear understanding of what they need to protect, and how. Often, they do not realize that organizational cybersecurity depends on them, too. They have received minimal or inadequate information security awareness training and believe that a cybersecurity incident:
- will never happen to them,
- is irrelevant to them (they are no targets),
- makes no sense for them, as they are not aware of the threats and the value of the information/systems/assets they handle,
- is not their responsibility, as they believe that the information security technology that has been implemented is enough.
• The cost of compliance is higher than the benefit.
Many employees hold the belief that non-compliance will only be frowned upon, while reduced productivity will have worse consequences. At the same time, their main priority and focus is to deliver on their work responsibilities, and since they do not perceive information security as their own responsibility, it remains a second thought. Employees will be willing to invest as little time and effort as possible to follow security policies & procedures. Security managers often forget to factor in the amount of additional workload a security process would add on a process. If it significantly interferes with the productivity of employees and they need to invest significant time and effort in it, they often choose to cut corners.
• There is an inability to comply.
The security process or mechanism is too complicated for them, or it does not integrate well with their daily activities. For example, encrypting or unencrypting files is too complicated for some employees and therefore they may prefer to skip this step before sharing a confidential file. They will still be aware of the risk but choose to take it anyway, finding a way to justify it by thinking that they were not shown exactly how to do it, they do not remember it, or that they are in a rush and have a lot more workload to complete. If employees share the same viewpoint and behaviour, the security team should probably review and redesign their process, or invest more resources in training and supporting the employees in its implementation.
Generally, employees are mostly aware of their non-compliance and a certain degree of risk associated to it. They also tend to want to comply with the policies and processes that are required by the organization. However, this will also be a second thought, as their main priority is to get their work done with the required quality, speed and efficiency – and then, in a secure way too. Security teams would benefit a lot by getting into the employees’ shoes and then finding solutions that would match their working reality. To do that, they will have to look into their attitudes, beliefs and behaviour, and they will need to ask for feedback and encourage communication.
The Good News: You CAN Develop a Cybersecurity Culture
At this point it should become clear that we need to understand human nature and act accordingly. We work against human nature when we try to change people’s behaviour by simply demanding it, and by setting processes and enforcing them without accounting for other dynamics that might conflict with it. Setting a command and expecting people to execute it on a regular basis is not a model for behavioural change, it is computer programming. But humans operate very differently, and their decision-making process is much more complex. To help someone implement new habits we need to take into consideration the dynamics of their environment, including the competing priorities, stressors, beliefs, and the other elements that we discussed earlier. We need to get in their shoes. Security professionals often adopt an “it’s us versus them” mentality, when they think about the end-users. But to be effective, they need to approach the matter differently.
It starts with improved communication
CISOs and security teams often struggle to relate with other departments, and they rely on a one-way communication. They basically dictate to other departments what to do. They lay out their security plan, demonstrate the needs, vulnerabilities and next steps the organization should make, and expect (but most often just hope) that all others will accept and support their plans and expert judgment. But even when their recommendations are correct and clearly explained, they find themselves in a position where they still have to fight for the budget, approval, and support, as the others might not have the same enthusiasm for what is being recommended, or for cybersecurity in general.
CISOs and other information security experts often don’t feel understood by business leaders. But business leaders often believe that CISOs and security teams do not understand the business goals. The other organizational stakeholders have their own agenda. For effective communication to take place, the two sides need to come to an alignment. They need to breed trust and an environment of collaboration. For that, CISOs and security professionals must listen and understand the business goals and adjust their approach. They need to communicate security initiatives as business enablers, not as necessary evils.
Similarly, when CISOs want to enforce specific policies and processes on other departments, it would be very beneficial to adjust their communication to the needs and priorities of that departments. For example, the marketing and sales departments are often a weak link to information security as they tend to disclose more information than they should to prospects and clients. Security professionals need to understand these priorities and address the problems directly. Case studies with sensitive information on certain projects might be beneficial to a marketing campaign, but maintaining security standards adds trust and reliability and eventually attracts more long-term customers.
As a security professional, it is a good idea to be visible and approachable. Some managers report to us the habit of walking to other offices every so often and asking employees if they have questions about the security processes they have enforced, and whether they have any feedback. They report that these conversations often turn out to be very useful. Security professionals must ensure that employees understand their individual security responsibilities and are not relying on technology alone.
Implementing Excellent Cyber Security Awareness Training
Cyber security awareness training can be an organization’s biggest ally, or enemy. Dull, generic and very technical security awareness training will harm the efforts for a cyber security culture. A series of out-of-the-box video-recorded trainings often lead to boredom and complaints. Organizations opt for them because they are convenient, cost-effective, and help add a check to that compliance box. But think about their effect: employees do not engage with them, and certainly do not relate to the material being presented. As some of the information within these trainings might be irrelevant to the employee’s working reality, they can choose to dismiss the entire section (or training) as “not relevant” to them. Eventually, cybersecurity as a topic becomes “not relevant”.
We have encountered many teams of employees who had first received one of those trainings. They believed that cybersecurity is a tiring and futile endeavour, as they would either not get attacked, or they would not be able to defend themselves against an attack. They believed that they had to hustle too much for something that was inevitable. Or they were simply not interested in the topic, as they felt that the issues being discussed were not applicable to their reality and working environment.
Excellent cyber security awareness training on the other hand, does the opposite. It is tailored to the industry and working environment of the audience. It uses case studies and examples that attendees can relate to, and that apply to their working life. It is also engaging, entertaining, and interactive. All people have an innate curiosity, and a good trainer needs to take advantage of it, trigger it and build upon it. Last, the lessons learned and best practices taught in the course must be reasonably simple and realistic for the attendees to implement. The goal is an interesting, entertaining, and memorable training experience.
Utilize the psychology of groups and social proof
People tend to model the behavior of other people belonging to their group. It is a basic tribal instinct that we all operate under. When we form groups, we adopt a behavior specific to that group, as a means of bonding and better communicating with one another. Those norms that are formed within our groups are often led by people that the rest of the group will perceive as their leaders.
This is why it is so important to have the support of leadership when trying to establish a cybersecurity culture. Other employees will look up to their managers, leaders, and teammates and they will mirror not only what they advocate, but what they see them do as well. Collecting advocates in the organization that other people look up to, will help form a better cybersecurity environment within the organization and establish a cybersecurity culture faster.
Behaviour change takes time, and it is certainly challenging too. But it is also worth the investment. Change will not happen overnight but gradually, by investing in the organization’s cybersecurity culture and mindset. Eventually you will notice incremental changes in the way people think and act about security, both in their everyday activities but also when they encounter potential threats. The workforce eventually develops into an active human firewall that accumulates a secure behavior to the point that suitable responses to threats become second nature. And this is probably the biggest advantage. After a certain point, implementing security processes will not have to cost mental energy and effort – it will be happening automatically. People will be able to recognize threats and more equipped to deal with them and report them. They will become a strong security layer.
Behaviour change will happen if the cybersecurity practices are achievable within the people’s everyday activities, and if their organization supports them. And of course, throughout this journey, the cybersecurity team needs to learn how to listen, and breed an environment of collaboration and trust with the other departments.
Security professionals often complain that employees are not worth investing in, because they don’t want to change their behaviour. But maybe it’s also us, the security professionals, that also need to adjust our approach. Just like Mr. Johnston did.
You may visit:
Cyber security is ofter boring for employees. We can make it exciting.
Recorded on-demand training and live webinars.
Engaging training classes and workshops.
Developing the human perimeter to deal with cyber threats.
Short and comprehensive briefings for the board of directors.
Open source intelligence (OSINT) reports and recommendations.
They have the most skilled adversaries. We can help.