We've all sat through, or perhaps suffered through is more accurate, security awareness programs that dull the senses and make no palpable difference to the business' security posture. Faced with the prospect of putting together security programs for their businesses, Blair Adamson from Telstra and Rebecca Moonen from NBN Co decided to take a different approach.
At the opening event of the annual CSO Roadshow, in Perth, Adamson and Moonen, presented the programs they have overseen and discussed how effective their approaches have been.
What doesn't work
Traditional security programs, said Adamson, have focussed on discussing the threats that are out there, what the danger is and then telling everyone that the bad guys are well resourced so we all have to be vigilant.
Often, that's followed up with some cheesy videos and online quizzes which, he noted, don't deliver significant changes in user behaviour. He said users turned the mandatory-to-watch videos on, went to grab a coffee while they played, and then came back to guess their way through the inevitable multiple choice quiz to "prove" they had done the training.
Focus on engagement
Adamson sought to create something different that made the concepts that important for users clear.
Technical understanding wasn't the issue. Most people were familiar with the ASD's top four security security strategies for mitigating cybersecurity incidents. The challenge was making those messages relevant to people so they changed their behaviour in a positive way.
"Most breaches are caused by poor user behaviour," he said. "Security is about people".
That lead to the creation of a very different program. And while the approach he took used videos, they weren't the traditional "bad guy in a hoodie" style of presentation. They were filmed as a series of short movies, with high production values, that formed an ongoing series. The idea was that by getting people to watch the videos, their awareness of how security issues related to them would influence positive changes to their behaviour.
Adamson's team created five video episodes, each based around a specific concept they wanted to highlight to users. These were phishing, Wi-Fi, social media, malware and information sharing. There was a continuing storyline through the episodes and they were released every couple of weeks, with the hope users would look forward to the next episode to see what was next.
Then, his team could follow up, with the conversation started, with other education and training.
Users didn't have to watch the videos. Despite that, 75% of employees watched the videos because they were enjoyable to watch, as well as delivering important security messages that were presented in ways that engaged viewers. And many people learned about the videos through word of mouth rather than the traditional approach of pushing videos onto staff.
Work safe: Play safe
Moonen started her presentation with an anecdote about a staff member who had been putting in some extra work after hours. While the diligence was a big positive, the staff member was working from a cafe on confidential files using unsecured, public Wi-Fi connection.
"We talk about the malicious insider all the time. We never talk about the accidental insider," said Moonen. "People want to do the right thing but often don't realise that the security protocols they've put in place or their behaviours are not secure".
When Moonen started her security awareness program she started with the traditional approach of "death by powerpoint" with lots of advice but realised no-one was taking the message in. The problem was that she hadn't tapped into what her audience cared about. That led to a new approach this from the "voice of the customer" and understanding what users care about.
"What do users care about? The care about their kids seeing porn online. They care about what happens to their data when they scan their business card. They care about the neighbours stealing their Wi-Fi. And they care about getting in trouble for downloading Game of Thrones," she said.
That led Moonen to a different approach.
Make it personal
Similarly to Adamson and Telstra, she knew the program needed a good story in order to create some stickiness to the education so that behaviour was changed. For example, rather than saying that opening a phishing email is bad, back it up with a real story about what happens if someone falls for a phishing email and then help users look for the warning signs.
Another example was around the use of VPNs. Rather than talking up the security benefits, Moonen talked about using a VPN to make it look as if you're overseas and then trying to book flights as its often cheaper to book domestic flights from within a country than outside. Then, once people see they can be benefited by a VPN, they will be more likely to use one to protect business data as well.
Overcoming fixed ideas
One of the big challenges is the need to overcome "anchoring bias". This is where people hold on to the first piece of information they receive about something and can't or won't let go. For example, for many people the idea that anti-virus software is all you need to be secure is difficult to let go of. But rather than trying to get people to remove that information from their thinking, Moonen says you can layer over it.
You can use the idea that anti-virus software needs to be updated with the importance of patching and updating software and then expanding that from anti-virus software to other applications.
Another challenge is what Moonen called the "ostrich effect". In this case, people see the problem of being secure as so large and complex they decide they cannot do anything about it so they ignore it. Moonen says any training that's offered needs to be actionable and practical. For example, she recommends having people check their email addresses at haveibeenpwned.com. If their accounts have been involved in a hack, then people can change their passwords or remove accounts that may have been compromised.
The program Moonen runs uses lots of face-to-face sessions as well as an online community that 20% of NBN Co's personnel are signed in to event though participation is voluntary.
There are also voluntary sessions for staff to attend and a "security champions" program operates which gives her some eyes and ears on the ground to learn about potential issues, as well as people that can act as "amplifiers" for the messages she is sending out.