Sergey Nivens - Fotolia

Beware the pitfalls of security awareness training, says expert panel

While there is value in security awareness training, not all training programmes are effective or value for money, according to a panel of experts

Organisations should beware of the pitfalls of security awareness training, an expert panel has told Infosecurity Europe 2016 in London.

While the panel agreed there was value in user awareness training, they said not all training programmes were effective or value for money.

Although some programmes are well crafted, the effectiveness of many is low, the value is doubtful, and they are a waste of time and money, especially if they simply repeat policies followed by a multiple-choice test, said Angela Sasse, director of the UK Research Institute in Science and Cyber Security at UCL.

She described some of the UK public awareness programmes as “pitiful”, noting that the advice on four different government websites was often conflicting, while a lot of other security advice she said was simply “rubbish”.

Before organisations can even attempt to change employees’ security behaviour, Sasse said they need to “clean house” by ensuring security systems provide meaningful alerts and guidance, and that policies and guidelines are practical and easy for employees to comply with.

“If security systems are not providing actionable alerts, or employees are struggling to comply with policies, it is vital that organisations sort these things out before even thinking about changing people’s behaviour,” she said.

Once the technology and policies are in place, organisations can then begin looking at changing behaviour. But this is not a fast or cheap endeavour, said Sasse. It is typically a two-year exercise involving a team of security, communication and training experts.

“Organisations need to get real about security, with employees and managers working together to identify and remove the barriers to good security practice to achieve a state of unconscious competence,” she said.

However, Sasse said one of the biggest challenges was that productivity tended to trump security. “And managers are often complicit in that,” she said.

How to change security attitudes

According to Thom Langford, chief information security officer at Publicis Groupe, the most effective security awareness programmes are those that provide some kind of visceral experience.

“The aim should be to build a security lifestyle, so that locking computers when we leave the office becomes as automatic and unconscious as locking the doors and windows when we leave the house,” he said.

“Organisations need to identify and remove the barriers to good security practice to achieve a state of unconscious competence”
Angela Sasse, UCL

Done correctly, security education programmes can be extremely effective and need not involve a great deal of time, said Andrew Rose, chief information security officer and head of cyber in the UK transport sector.

“Regular, 30-second messages can help change behaviour and put people on the right path, rather than longer, more intensive sessions,” he said, adding that information security professionals should work with their organisation’s communications team and tap into their insights and expertise.

However, Rose emphasised that organisations need to focus on the real problem of behaviour. “Awareness is not really the issue. It is about changing behaviour. Awareness alone will have no impact,” he said.

When it comes to changing behaviour, Rose advocates a “security science” approach, which requires analysing and modifying people’s motivations, abilities and triggers.

To illustrate this approach he used the analogy of highway traffic speed control. The motivation to obey the speed limit is the speed camera, the ability is cruise control that limits the speed of the car automatically, while the triggers are the speed limit signs along the road.

“To change poor security behaviour, you need to understand what the motivation, ability and triggers are, and then modify these so that they encourage good security behaviour,” said Rose.

In the information security context, motivations are things like policies and peer pressure, abilities are things like tools and processes designed to make it easy for people to do the right thing, and triggers are things like pop-up windows that are reminders of good practice.

Security is a business-wide responsibility

Samantha Davison, security awareness and education programme manager at Uber, said it was important to build security in from the start. “I have been able to bake security into the culture, and our mission statement is to make security as essential as breathing,” she said.

However, Davison said executive support is essential to building a security culture, and she emphasised the importance of building awareness programmes based on the way people in an organisation work, the way they learn and the specific risks they face.

“The most effective education programmes tend to be those based on people’s actual security challenges and customised according to their roles and geographical location,” she said.

Davison said education programmes should be improved continually using the findings of security testing and other data gathered on people’s security behaviour.

Sasse said engaging with managers and employees to understand how they work and think about security is therefore key to the success of any behaviour transformation programme.

But another key challenge, she said, is that few information security professionals have the training and skills required to engage effectively with people in the business.

“Training in these soft skills is starting to come into security qualifications, but existing information security professionals need to break out of their security silo by engaging with other people across the business,” she said.

According to Sasse, many executives need education around security to understand it is not a technical issue, but a business issue that needs to be part of the business risk analysis process.

“Boards need to start understanding the real risks so that they can start asking the right questions and make more informed decisions,” she said.

Read more about security awareness

Read more on Security policy and user awareness