Preventing carbon unit failures

Awareness training is not enough, so CFOs need to invest in employee cyber-risk management

A lot of people feel that the solution to the problem of employees being a major cyber-threat is to give them “awareness training” about cyber-security.

That’s certainly part of the answer. But only part. That’s because most people won’t do what you tell them just because you tell them. And even fewer people are logical about how they behave. (Incidentally I dislike the phrase “awareness training” – awareness and training are in my view two very different things. We will come on to that.)

You need to treat the problem of employee cyber-risk holistically. I believe there are at least eight separate things you need to think about:

1. Decide what information to protect

2. Decide how to protect it

3. Write readable policies that explain how and why people

should behave

4. Educate people about the rules in the policies

5. Keep reminding them of the rules

6. Motivate them to behave safely

7. Reduce cultural disincentives

8. Monitor, measure and adapt

Eight separate things: that sounds like a lot. But it isn’t actually. And you are probably doing many of these things already – although perhaps not coordinating them.

It does help, though, if you are going to do all of these eight things efficiently to work with some other people within your organisation.

Let’s go through them one by one.

Prioritise what to protect

The first thing to do, fairly obviously, is to decide what you want to protect. I don’t have to tell you that you can’t protect everything.

Classifying information properly can take some effort. A fairly new British Standard, “BS10010 information classification, marking and handling” is a good place to start.

Usable processes

Once you have decided what to protect, you need to decide how to protect it.

The usability of security processes is the Cinderella of cyber-security. Your illogical and disobedient colleagues, or most of them anyway, don’t work in security. They have a day job and may well think that security (aka the Department of “No”) just gets in the way of them getting things done.

We know differently of course. But it is very important to ensure that security processes are as invisible as possible so that people can comply with security requirements without effort. Part of that is addressing jargon. Who knows what “encryption” means? Of course you do. But why should you assume that all your colleagues understand what it means?

Usable rules

Now you know how you want people to behave you need to explain that to them. You will probably want to do this with some form of written policy.

Like the security processes, this policy document needs to be usable. It should be simple and jargon free, and include the WHY as well as the HOW of safe behaviour.

Think about the purpose of this document. Is it to cover your backside? Or is it to change people’s behaviour? It should be the latter. And if it is, then it really shouldn’t be longer than a couple of sides of A4 with references to places or people where more detailed explanation can be found if necessary.

"...I dislike the phrase 'awareness training' – awareness and training are in my view two very different things."

Training and knowledge transfer

So you have decided what to protect, decided how to protect it, and codified the rules you want people to follow.

We all know that isn’t enough for your disobedient and illogical colleagues. You need to transfer this information to them, in a way that they understand and which will stick in their minds for longer than the training session lasts.

This is difficult. Computer-based training (CBT) may be part of the answer. But it is highly unlikely to be the whole answer. There are lots of different types of training you can give people – role playing, discussions, workshops, story-telling using video and cartoons. CBT is a good way of testing intellectual understanding. But it isn’t a great way of transferring knowledge. And it isn’t a great way of measuring likely future behaviour either.

By the way, training is different from awareness. Training is about knowledge transfer. Awareness is about reminding people of what they know. So the phrase “awareness training” doesn’t really make sense!

Also of interest: Is training just decoration?

Generating awareness

To influence behaviour you need to go beyond transferring knowledge. You need to ensure that people remember that knowledge.

Most people have stressful jobs, jobs where they are focused on today’s problem rather than on something you told them a month ago. So you need to maintain awareness. There is nothing magic about doing this: it’s just a communications exercise. It’s fine to focus intensely on cyber-security every now and then. But you need to make sure the message is always out there. And that means making sure it doesn’t become invisible through familiarity.

Your external communications team may well be better at doing this than your internal comms team!

Motivating behavioural change

You have explained to people how they should behave. And you constantly remind them. Yet your disobedient and illogical colleagues still behave unsafely. Why?

Well, why do you speed when you are driving? You know the speed limit. And you are constantly reminded of it. But you still speed. Why? Because you are not motivated to keep within the limit. Your urgency or need for excitement outweighs the potential for punishment. Or perhaps you think the limit is pointless (it’s the middle of the night and there are no other cars around). Or you hate authority. Or, or, or….

Motivating people to behave safely is probably the hardest part of a CISO’s job. And perhaps the most important.

So how can you motivate people? There are some good lessons from marketing. Such as these principles of persuasion from American marketing psychologist Robert Cialdini. In his book Influence: The Psychology Of Persuasion he suggests that there are six main drivers of behaviour:

· Authority

· Social proof

· Reciprocity

· Commitment and consistency

· Liking

· Scarcity

Marketers have known about these for years! Security professionals can use them too. Marketing is all about changing people’s behaviour. And as a security professional that is what you need to do.

Also of interest: Nine steps to effective training

Strengthening security culture

Motivation is a delicate thing though. It is easily damaged in the wrong climate. For instance, I may be mustard-keen to avoid a data breach by taking those sensitive documents out of the business on an unencrypted USB stick. But as soon as I see the boss doing it, well, I realise that it isn’t so very important to be cyber-safe.

As well as training, awareness campaigns and motivational incentives, organisational culture can be strengthened by:

· Addressing the behaviour of influencers (who may or may not be senior: not all organisational culture

comes from the top)

· Monitoring, measuring and publicising behaviour (good and bad)

· Creating strong teams with shared goals

· Ensuring work systems such as performance management and promotion are aligned with security goals

Of course CISOs can rarely change organisational culture. But they can identify culture, as expressed by behaviour and beliefs, that is damaging to security, and work with other parts of the organisation to fix the problem.

Measure and monitor

To spot damaging behaviour and beliefs you need to have monitoring in place.

Of course you need to be aware of issues surrounding employee privacy. And you need to be aware of the problems associated with measuring something as subtle as culture. (For instance, you have to be very careful how you ask people questions in surveys because they may well think they know the answers you want to hear.) But using a combination of techniques – surveys, focus groups, observation, behavioural measures – it is possible to measure an organisation’s culture.

It’s not easy!

Of course none of these things are particularly easy. And doing them all well is hard. But not impossible. Especially if you work with colleagues in marketing, HR, facilities management and so on.

At TEISS, one tool we use to achieve this holistic approach is our Internal cyber-risk maturity matrix. This asks questions about five different areas of internal cyber-security – governance, strategy, process, knowledge, and motivation.

Questions posed within the matrix help you decide what level of maturity you are at in these five areas:

· Ignoring: The effect of human factors on cyber security is not recognised or is ignored

· Accepting: The effects of human factors on cyber-security are accepted as real but no significant attempt has

been made to manage them proactively – most activity in the area is reactive

· Experimenting: Processes are being put in place to allow the proactive and repeatable management of internal

cyber-security risks – only parts of the organisation are involved however

· Establishing: An approach to developing managed processes to control internal cyber-risks of all types across

the whole organisation is in place

· Prioritising: the approach to managing internal cyber-risk is sustained over time with different levels of

resource allocated depending on different priorities

· Evolving: The process of managing internal cyber-risk allows for the continuous development and optimisation

of both this model and the way that internal cyber-risk is managed

The matrix will help you create a roadmap to a achieving safer behaviour, defining where you are now and identifying the steps you will need to take to get where you want to be.

Of course, this sort of approach needs to be combined with methods designed to evaluate technological defences and identify risks deriving from weak processes. But if the human factors that contribute to cyber-security are ignored, then no amount of software or process redesign will keep you safe.

Humans really are the “weakest link” in the cyber security chain. But with the right approach, they can be turned into the strongest part of your cyber-defences.

You need to treat the problem of employee cyber-risk holistically.