Ask a security practitioner what they want from a security awareness programme, and the immediate response you receive will sometimes be “to tick a compliance box”, sometimes “to reduce security risk” and sometimes “to achieve compliance and reduce risk, of course”. But dig a little deeper and there’s more to it than that.
In part three of this series of blogs reporting on our research project to “Reimagine Security Awareness” we explore the practitioner perspective. In part 1 we covered the “do nots” of mandatory security awareness and in part 2 the “do dos”, both based on our workshops with users. In part three we consider practitioners – security auditors as well as security professionals with responsibility for corporate information security awareness programmes. Alongside our user workshops we conducted structured interviews with several them – here’s what we heard…
The basics – achieve compliance (and reduce risk)
Initially our interviews explored “what do you need to see” from a security awareness programme. We were told:
Training must be understood, retained and measured. Participation (what % staff received the awareness) and retention (indicators of knowledge retained) should be measured. Alternatively, staff should attest that training has been received and understood.
Content and delivery should meet the needs of the organisation, with awareness tailored to the risks the organisation faces. Ideally the significance of security risks will be made relevant through real-world case studies, and learning should be interactive rather than passive.
Senior management should demonstrate their support for the programme and it’s aims.
The organisation should receive demonstrable value from the program in terms of mitigating risk – ideally backed up by reductions in recorded incident metrics.
Essentially, the initial answers we heard were predominantly focused on the ‘traditional’ axis of compliance/risk. But when we then explored questions around the theme of “…ok…but what do you want to see?” the following key themes emerged, which all revolved around a slightly different fundamental requirement – engagement.
Practitioners want people to care and be engaged with security – with the benefits of increased vigilance, greater retention and therefore reduced risk through increasingly securebehaviours.
“Part of the team”
We heard that practitioners want people to feel like an extension of the security team. This meant they wanted to avoid a feeling of “them and us” and telling people what to do. As well as recognising the need to reward good behaviour rather than punishing bad.
Compliance is not engagement
We heard a frustration that too much focus on compliance can be damaging, particularly in terms of engagement. Staff are often cynical with a ‘mandatory’ approach to awareness and become disengaged. Getting training completed can become a cottage industry, ending up with training taken ‘under duress’.
Genuinely ongoing update of learning material is perceived to be a positive way of engaging people – and something that was noted to be missing from many current solutions.
Avoid one-size fits all
A mix of material and approaches is deemed necessary. Reducing everything to the lowest common denominator is a problem in current training design. Practitioners are aware that providing the same course to all staff year-on-year will not be engaging for people. Rather than just customising to the organisation as a whole, emphasis is now being placed on customising learning to the individual recipient – taking into account their individual context and behaviours.
There is a clear need in the market for awareness solutions that are not purely focused on compliance. Ones that drive towards engagement. And even then, engagement is not the end goal. The end goal is to see that engagement turn into secure behaviour change.
The practitioner perspective highlighted above aligns surprisingly strongly with the user perspective documented on our “dos” and “do nots” of mandatory security awareness. When the ultimate aim of security awareness is (or should be) reducing risk through driving secure behaviours, the next generation of security awareness must be more focused on engagement than on tick-box compliance.
About this work This blog resulted from a project supported by Innovate UK and conducted alongside Pam Briggs, Professor and Chair in Applied Psychology at Northumbria University. The project ran workshops with staff across commercial, professional services and public sector organisations, including Deloitte, Camden Council and at our strategic partner AXELOS RESILIA.