kasto - Fotolia
The information security industry is not approaching awareness in a way that has a positive effect on user behaviour, according to independent cyber security consultant Jessica Barker.
“The security industry is letting people down in raising awareness in a way that actually changes behaviour,” she told attendees at IPExpo at Excel in London.
For this reason, people continue to be the true Achilles’ heel in security, which requires people, process and technology to work together to be successful, said Barker.
The failure to raise awareness in a way that is effective is in part due to the way information security professionals tend to engage with users, she said.
“It is common to hear the opinion that ‘users are stupid’, that information security is difficult because the user knows nothing and is an idiot,” said Barker.
“For me, that is really challenging, because my job is all about engaging users and empowering them to be better, but talking about users in a negative way tends to put up barriers.”
The real failure, she said, is in not providing good training that raises understanding and promotes better user behaviour.
But the good news, said Barker, is that where awareness-raising has changed user behaviour, attackers have been forced to abandon an avenue of attack.
“We have seen a rise in business email compromise [also known as whaling or CEO fraud], for example, because attackers realise that attacks using fake Facebook profiles or spam over Twitter no longer work as people have become more savvy in the way they use social media,” she said.
Barker called on the information security industry to engage users more effectively by engendering better behaviour through having higher expectations, commonly known as the Pygmalion effect, as demonstrated by the Rosenthal-Jacobson study in the 1970s.
“How you treat people, how you speak to people has a direct impact on what they give back and how they behave,” she said.
Information security professionals tend to talk about good user behaviour as if it is something that is easy, but it is not simple or easy, said Barker.
“What we ask of users is often too much, such as expecting them to notice that web addresses have been modified by substituting one letter for another,” she said.
Read more about security awareness
- While there is value in security awareness training, not all training programmes are effective or value for money, according to a panel of experts.
- UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective security training, a study reveals.
- Cyber security awareness is still in its infancy in most organisations, despite the quick returns it can deliver, says the Sans Institute.
- A continual security awareness training programme is important for an enterprise’s culture.
Instead of having unrealistic expectations, Barker said information security professionals should seek to give users the knowledge, understanding and translations they need to recognise threats and make better decisions.
She cautioned against using “fear appeals” like the health warnings on cigarette packets. “Fear appeals can be really damaging if they are not used in the right way,” she said. “If fear is not communicated in a way that explains what the threat is, how it impacts the individual and how what you are recommending will have a positive effect, people will not engage with the threat and understand the danger.”
Information security professionals also need to recognise that humans are curious by nature and for that reason will tend to do things like click on links to see what happens, she said.
“So we need to teach people to think before they look, we need to educate them about the real threats, and we need to empower them so we get a lot back,” said Barker.
Underlining the importance of user engagement and understanding, and the dangers of “fear appeals”, a newly published study by the US National Institute of Standards and Technology (Nist) has found that most typical computer users experience security fatigue that often leads users to risky computing behaviour at work and in their personal lives.
Researchers found that “security fatigue” leads to feelings of resignation and loss of control, which, in turn, can lead to avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules.
Commenting on the findings of the Nist report, Ed Macnair, CEO of cyber security services firm CensorNet, said the security industry and businesses need to work to instil confidence in the public and encourage them to make security a priority.
“Security might appear complex and time-consuming, but it really isn’t,” he said. “The public needs to be educated on how simple – and quick – things like two-factor or multi-factor authentication and password managers are.”
The new norm
At the same time, Macnair said more organisations need to force people to use these tools so it becomes the new norm to use a couple of processes.
In her presentation at IPExpo, Barker also touched on two-factor authentication, saying that a study she conducted in 2015 showed 70% of those polled were not sure what two-factor authentication is.
As a result, just over 80% of the people she interviewed said they do not use two-factor authentication.
“This is an example of something that really drives better cyber security, that is quite effective in protecting online accounts, and yet the security industry is failing in communicating what it is, let alone getting people to actually use it,” she said.