Ask a security practitioner what they want from a security awareness programme, and the immediate response you receive will sometimes be “to tick a compliance box”, sometimes “to reduce security risk” and sometimes “to achieve compliance and reduce risk, of course”. But dig a little deeper and there’s more to it than that.
In part 1 of this series, we covered what users don’t like about their security awareness programme and in part 2 what they like, both based on our workshops with them. In part three we consider practitioners – security auditors as well as security professionals with responsibility for corporate information security awareness programmes. Alongside our user workshops we conducted structured interviews with several of them – here’s what we heard…
The basics – achieve compliance (and reduce risk)
Initially, our interviews explored “what do you need to see” from a security awareness programme. We were told:
Training must be understood, retained, and measured. Participation (what % of staff received the awareness) and retention (indicators of knowledge retained) should be measured. Alternatively, staff should attest that training has been received and understood.
Content and delivery should meet the needs of the organisation, with awareness tailored to the risks the organisation faces. Ideally, the significance of security risks will be made relevant through real-world case studies, and learning should be interactive rather than passive.
Senior management should demonstrate their support for the programme, and its aims.
The organisation should receive demonstrable value from the program in terms of mitigating risk – ideally backed up by reductions in recorded incident metrics.
Essentially, the initial answers we heard were predominantly focused on the ‘traditional’ axis of compliance/risk. But when we then explored questions around the theme of “…ok…but what do you want to see?” the following key themes emerged, which all revolved around a slightly different fundamental requirement – engagement.
Practitioners want people to care and be engaged with security – with the benefits of increased vigilance, greater retention, and therefore reduced risk through increasingly securebehaviours.
We also heard frustration that too much focus on compliance can be damaging, particularly in terms of engagement. Staff are often cynical with a ‘mandatory’ approach to awareness and become disengaged. Getting training completed can become a cottage industry, ending up with training taken "under duress".
A united security team
We heard that practitioners want people to feel like an extension of the security team. This meant they wanted to avoid a feeling of “them and us” and telling people what to do. As well as recognising the need to reward good behaviour rather than punish bad.
Genuinely ongoing update of learning material is perceived to be a positive way of engaging people – and something that was noted to be missing from many current solutions.
A mix of materials and approaches is deemed necessary. Reducing everything to the lowest common denominator is a problem in the current training design. Practitioners are aware that providing the same course to all staff year-on-year will not be engaging for people. Rather than just customising to the organisation as a whole, emphasis is now being placed on customising learning to the individual recipient – taking into account their individual context and behaviours.
There is a clear need in the market for awareness solutions that are not purely focused on compliance. Ones that drive towards engagement. And even then, engagement is not the end goal. The end goal is to see that engagement turn into secure behaviour change.
The practitioner perspective highlighted above aligns surprisingly strongly with the user perspective documented in our previous articles about mandatory security awareness. When the aim of security awareness is (or should be) reducing risk through driving secure behaviours, the next generation of security awareness must be more focused on engagement than on tick-box compliance.