Training is not enough: changing information security culture and behaviour

How might we approach reshaping security culture such that people are a source of strength rather than a liability?

Changing organisational culture is not a ‘technical’ task to be engineered into place. It requires understanding how motivation, incentives, leadership and governance interact to trigger behaviours – desired and undesired. Shaping a positive information security culture and behaviours combines a person’s motivation, ability, and perhaps most importantly, the permission to behave positively.

In our prevailing information security culture, humans are viewed with deep distrust – they are variously positioned as malicious, complacent, or ignorant. This mindset positions people as a feature of information security in a particular and negative way. Information security culture becomes focused on control and compliance.

How might we approach reshaping this culture such that people are a source of strength in information security?

Training is necessary but not enough.

Education, training, and communications are the three methods most firms use to improve information security awareness. All three are necessary, but they are also passive. In delivery, they are often general, sporadically delivered with limited follow-up, and alone do not lead to a change in behaviour.

Phishing simulations are another common educational technique to raise employee awareness of security issues. Again, they are not enough alone, and there needs to be more reliable information on these simulations' value in raising awareness or changing behaviour. They are assumed to be ‘good’. A potential unintended consequence of phishing simulations is to raise paranoia among employees, which could lead to unintended negative workplace behaviours and reinforce a compliance culture in which the organisation plays a ‘gotcha’ game with employees.

Consistently, surveys evaluating the training effectiveness in information security suggest that training is not cutting through. For example, a global study conducted in 2017 by over 2,600 professionals who handle confidential data at companies with 250 or more employees showed that 72% of employees are willing to share sensitive, confidential, or regulated company information. In 2018, the ISACA/CMMI Institute Cybersecurity Culture Report found that only 34% of the over 4,800 business and technology professionals surveyed believe the workforce understands their role in achieving the organisation’s desired cybersecurity culture.

Training is necessary, but alone it is not enough. And, there is little else in the bag of culture and workforce strategies available to those responsible and accountable for information security.

Change behaviour, change culture.

Organisational culture is built on a thousand small interactions, decisions and actions taken every day by individuals. We must influence ‘what people think’ and ‘what people do’ to effect a behaviour change. Our approach is to design tools to support culture change in a way that informs, motivates, and evokes the emotions of individuals—leaders and employees. Ultimately, we want people to move naturally toward the desired change.

To achieve this, we need to create the conditions for behaviour change and ensure the opportunities to engage in the transition are as seamless and easy as possible. For example, a highly motivated employee might be compelled to undertake a behaviour but not be afforded the opportunity and ability to do so. In contrast, another employee may have a tremendous opportunity to undertake a behaviour without being motivated. Highly motivated employees who are not supported by leaders cannot succeed in changing their behaviour or culture. Similarly, highly motivated leaders cannot succeed if employees are unwilling to (or don’t know how to) engage in change. To achieve the desired culture, there is a need to influence both employee and leader behaviour in a mutually reinforcing way.

Information security training treats all employees equally. Rather than motivating employees to participate positively in protecting sensitive and confidential information, security training underwrites a compliance culture with the negative side-effect of discouraging accountability and instilling indifference.

Cultural change requires a sustained focus on the motivation and ability of your target audience. It relies on a detailed understanding of ‘what people think about information security’ and ‘why they behave the way they are’. This provides the foundation for building information security into the organisational culture to integrate, target and use existing education, training, communications, and other activities such as simulations.

It is time for a more sophisticated and strategic approach to information security. The evergreen response of ‘more training’ will not be enough. Leaders are looking to leverage new technology to increase capability. Greater connectivity is a central characteristic of our evolving technologies. As our workforce acquires new information, they will be best placed to see new opportunities, but, perhaps most importantly, they will also be developing new connections. People, not technology, are the source of resilience and adaptability in our organisations. Consequently, the organisational culture we wrap around our information security needs to evolve with the technology and the workforce.

In 1996, just as today’s world of hyper-connectivity was emerging, philosopher of technology Langdon Winner observed, ‘to invent a new technology requires that … society also invents the kinds of people who will use it’. We need to invest strategically and comprehensively in finding a way forward to a more positive approach to information security that places people and culture at the centre of an information security system that is more resilient, adaptive, and effective.

This post was first published here.

 

Previous
Previous

From compliance to resilience: people, culture and information security

Next
Next

Information security strategy: it’s turtles all the way down