Five sneaky ways companies are changing employees' security behavior

Like precocious teenagers, some employees don't want to be told what to do when it comes to cyber security. Too many rules about what they can and cannot do with technology can lead to bad decisions that inadvertently put company data at risk. Instead, a more subtle approach is required to help them make better decisions on their own.

But changing employees' behavior is no easy task. People have an innate need to socialize and share information, says Alessandro Acquisti, professor of IT and public policy at Carnegie Mellon University, and a member of Carnegie Mellon CyLab.

[ Employee Monitoring Good for the Employee ]

In studies, self-disclosure was found to trigger neural mechanisms in the brain that are associated with reward, showing that people highly value the ability to share thoughts and feelings with others. In one experiment, subjects were even willing to pass up money for the chance to disclose information about themselves.

"The problem is that modern technology has increased our ability to disclose information to such a degree that we no longer realize how much we're giving and to how many people," Acquisti says.

Awareness training for employees does help, according to Aberdeen Group. Changing employee behavior reduces the risk of a security breach by 45% to 70%. What's more, it can be accomplished with less foot-dragging than security leaders might think -- if they pull the right behavioral strings.

Here are five sneaky ways employers and researchers are leveraging positive and equally powerful human behaviors to guide employees toward better security decisions.

1. The Hero

Insurance provider XL Group was looking for a way to grab employees' attention so that they could pass on valuable security information -- not only to protect corporate data, but personal information, as well.

The company wanted everyone to work toward a common goal and appeal to their sense of compassion. So it asked employees to accept a challenge -- watch an educational security video and in turn, for every view of the video, the company would donate a dollar to Doctors Without Borders, an international medical humanitarian organization that provides aid in nearly 70 countries.

The company created seven educational videos around protecting the company, its data, mobile devices and personal data with topics on spear phishing, phone phishing, bot nets and social media threats. The short videos were delivered monthly through emails and blogs.

"The goal was to have the videos watched by XL colleagues 10,000 times, raising $10,000 for Doctors Without Borders," says Thomas Dunbar, chief information risk officer. The campaign easily exceeded its goal and Dunbar's team presented a check to the charity in December.

Equally important to the company, the campaign engaged 4,500 XL Group employees worldwide in protecting their corporate and personal information.

2. The Nudge

You've been pinged, you've been poked, now prepare to be nudged. Borrowing a page from economics literature, researchers at Carnegie Mellon are experimenting with "soft paternalism."

"We're going to let you make the decision, but we're going to nudge you toward doing what we think is best for you," says Lorrie Cranor, director of the CyLab Usable Privacy and Security Lab.

For instance, one tool focuses on avoiding regret and helps social media users make better choices about their posts. As users are typing, the tool randomly selects five people from the writer's list of contacts who are about to see the post, and it shows their profile pictures on the screen. "People you may have forgotten about may pop up, and it makes you rethink what you're writing," Cranor says.

[ 6 essential components for security awareness programs ]

3. The Countdown

To get people to stop and think, CMU built another tool that provides a 10 second countdown timer before a post is published. "You can see it, edit it, or cancel it " in those 10 seconds, Cranor says. "We found that it was actually a pretty effective way to get people to stop and think."

Both of these tools could be very effective in the workplace, Cranor says. "You could develop a nudging tool that would be on the look out for things against company policy and provide these hints and suggestions - 'hey, look again at what you're about to send and see if it crosses the line,'" Cranor says.

4. The Game

Using interactive gaming techniques to educate or motivate users -- otherwise known as gamification -- has shifted from customer-focused applications that are led by marketing, to more employee-focused applications led by IT for security awareness.

These interactive software games usually rely on employees' competitive nature and involve teaching the player a particular security concept and then putting them into scenarios where they can apply the concept. The player competes against the clock and receives points for every correct behavior scored.

"We're trying to give them that similar experience that they have at work where they're multitasking and have to make quick decisions," says Joe Ferrara, president and CEO of security awareness and training company Wombat Technologies in Pittsburgh.

While some employees play to achieve their personal best scores, some companies organize contests around game-based training between individuals or groups and award prizes, says Ferrara.

EMC used an online game and accompanying Elvis-themed "Suspicious Link" video (a parody of his "suspicious minds" song) to make employees worldwide aware of phishing scams and their impact on the company. Employees had to watch the video and then answer all questions correctly to be entered to win an iPad Air. Centers of Excellence around the globe also competed as teams to win an office party.

"We like to run contests because we know users don't just want to learn," says Brian Osterman, risk analyst. "We try to gamify it and increase the competition so it's actually fun."

5. The Simple 'Thank You'

At safety science company UL LLC in Northbrook, Ill., there are no cash rewards for security-minded behavior. But when an employee spots a very high-risk phishing scam and are one of the first people to respond, the security team gives them validation by sending them a thank-you note and copying their supervisors, the head of the business unit and occasionally the CEO. "That goes a long way," says Steve Wenc, senior vice president and chief risk officer.

UL developed a behavior-focused security education program designed to help its nearly 11,000 employees recognize phishing messages and quickly report them to UL's security team. The program has created a crowd-sourced "human firewall." On a daily basis, UL employees are spotting new attacks, reporting them -- often within minutes -- and enabling UL's security team to quickly take steps to block the attacks, alert other users and remediate infections.

Since the project's inception, incident reports have increased from 10 a month to over 1,000, and UL reports a 19% decrease in virus-related incidents.

"We appreciate what they're doing," Wenc says. "When they spot [a scam] that has impact on the company, we tell them, 'You saved your colleagues and our customers from an attack.'"

Join the CSO newsletter!

Error: Please check your email address.

Tags Carnegie Mellon Universitysecuritysecurity awareness

More about Aberdeen GroupAlessandroBordersMellon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts