by ThinkCyber | Reading time: 5 minutes
We’ve previously introduced Kate as a typical employee being subjected to traditional security awareness training. After her training she goes on holiday, has a busy working life with all sorts of distractions, and then when a risky situation occurs, we expect her to recall that training.
It’s clear that that is quite a big ask. But if traditional training isn’t helping, what might have been the optimal time to help Kate?
Anatomy of a behaviour
Let’s start by thinking about how behaviours happen. Firstly, all behaviours take place in a context. For us that will mostly be “on our IT”, “in our email”. There is always a trigger and then, if we have the ability and motivation, we act.
Generally, as an industry, we have been trying to tackle this problem too soon. We offer (or insist) people do annual or even quarterly training and then hope they remember, when Ebbinghaus’ forgetting curve suggests that this is unlikely. But worse, we offer this training completely out of the context of where the threats lie.
So, what about phishing simulations? Surely these are taking advantage of an opportune moment? Unfortunately, setting aside the need to take care you aren’t tricking or embarrassing people, there is research that suggests this is a poor time to try and train.
Researchers offered both success and failure feedback. But found that people learned less at the point of failure. Their theory here was that our egos really don't let us learn at this point. We sort of tune out, perhaps subconsciously, on failure, our subconscious tries to pretend the whole episode never took place.
In many ways, phishing simulations fall into the “too late” category as well. And here also we are starting to see some tools that look at data from the SIEM or other monitoring tools to see what “has happened”. This is useful in as much as it allows us to target people who have demonstrated a need for guidance. But we risk falling into a mode of “punishing people with training”. Not a place we really want to be if we want to support and empower staff and build a culture of trust. It’s also very hard for people to contextualise this training after the fact. Why were they doing that behaviour? What was going through their mind? If they can’t recall, then the training is unlikely to be effective.
So how would Goldilocks like to be supported to avoid risky behaviours? Our research and behavioural theory suggest there are two highly effective places to help, and both are, importantly, in the context where the threat lies.
Firstly, before the trigger, but in the context, “priming” people consciously or subconsciously about the threat. Our research with Cardiff University demonstrated that simply delivering one nudge to people as they opened their email, significantly increased the likelihood that they would go on to spot phishing in their inbox.
Secondly, after the trigger but before the action. Again in the context, on people’s devices just as they are about to carry out a risky behaviour – copy data to the internet, click a link, enter their credentials etc.
Importantly if we can deliver subtle nudges and interventions at these points, we can also measure how often they take place, building baselines and then behaviour change trends.
So in summary, traditional approaches take place either too soon or too late and produce poor results in terms of behaviour change.
We need to understand the context in which behaviours are taking place in order to deliver prompts and nudges where it’s just right!