With each new people-triggered cyber-attack, the human aspect of cybersecurity receives more attention. The cybersecurity industry is beginning to demand an evolution in cybersecurity training.
In 2017, researchers from the University of Adelaide published a paper highlighting an interesting finding about the factors affecting cybersecurity awareness within organisations.
The researchers found that, as the reported frequency of security training increased, staff security awareness actually decreased. According to reports, every time organisations held a new security awareness training session with the explicit aim of increasing security awareness, security awareness eroded.
Research increasingly shows that today's cybersecurity awareness campaigns need to change. Few, however, are saying what the changes should look like.
Here are five steps you can take in the right direction.
1. Reward positive behaviours
In the 1930s, the power of rewards was first championed by the psychologist BF Skinner, who studied positive reinforcement in animals. Skinner famously found that rats could be trained to push a lever in response to a stimulus if they were rewarded with food.
Although it might seem simplistic, the same is true of people. Rewarding studying increases academic attainment; rewarding physical activity increases exercise; research even suggests that increasing child support payments (arguably 'rewarding' parenthood) increases birth rates.
Rewards are accepted as motivators elsewhere in the workplace, yet almost entirely overlooked in cybersecurity awareness campaigns.
Should positive security behaviours be discussed as part of performance reviews?
2. Use ongoing testing
The fact that tests are a proven learning aid makes them a feature of most cybersecurity awareness campaigns. But most tests take place immediately after training sessions. Few campaigns continue testing people over time.
In 2008, research examined the effects of testing on two cohorts of students. The first cohort were tested on a subject one week after learning about the subject. The second were tested 16 weeks after learning. Nine months later, the cohort tested after 16 weeks retained more of the learned information than those tested one week after learning, suggesting the effects of testing can be enhanced when tests are delayed.
In our experience we've found tests that take place after training – such as after simulated phishing attacks – can increase security performance, especially when promoted as part of a secure culture.
Today, companies are running repeated security training. We'd probably be much better off running repeated tests.
3. Use stories
Training that makes use of stories instead of simply listing facts almost always increases long-term recall. According to Stanford University research, stories are up to 22 times more memorable than facts alone. In his book The Storytelling Animal, Jonathan Gottschall argues humans evolved to tell and learn from stories.
So let's suppose we want to make users think twice before downloading potentially malicious attachments. We could simply remind them to stop and think before downloading attachments. At CybSafe, though, we favour retelling stories such as that of Dridex (malware spread through attachments that steals the banking information of customers of European banks) to be much more effective at achieving our aims.
4. Use fear wisely
Using fear in awareness campaigns is a contentious issue.
Research suggests that fear can backfire should threats never materialise. It's also true that fear can cause users to act more cautiously when assessing potential threats (so long as they are offered simultaneous advice on how to mitigate threats). The sobering truth is that for just under half of the businesses that took part in the UK government's 2017 cyber-breaches survey, threats have already materialised.
It seems that the effects of real-life examples – discussed as stories – could be bolstered when the stories elicit a healthy amount of fear.
5. Encourage independent learning
According to Malcolm Knowles' theory of adult learning, adults learn best independently. Yet, few of today's security awareness campaigns even facilitate independent learning, let alone encourage it.
Allowing users to access training material whenever and wherever they want – through cloud-based mobile applications – facilitates independent learning.
In our experience we've found that removing barriers to learning to be extremely effective – a move supported by Nobel prize winner Daniel Kahneman.
By running awareness campaigns designed using psychology we can transform the current perception of people as the main weakness in a firm's line of defence, to people as a resource capable of identifying and negating the most common cyber-attacks that companies suffer today.
With better cybersecurity awareness campaigns, people can become our ultimate defence.
Views expressed in our blogs are those of the authors and do not necessarily reflect those of the Law Society. Oz Alashe is the CEO of Cybsafe which, at the time of publishing, was one of the Law Society’s endorsed partners.
Explore our cybersecurity resources to stay protected from cyber threats
Sign up for our weekly cybersecurity email, keeping you up to date on the latest scams and malware
The Law Society endorsed partners: cybersecurity and GDPR services