Game or Shame - how to teach employees to be cybersecurity aware

Traditional approaches to security awareness training are ineffective in changing human behavior because they're too often focused on negative consequences and fail to motivate employees.

Despite years of publicity and millions of dollars in employee training, 'human risk' is still the largest unsolved problem in cybersecurity.

Phishing remains one of the largest insider threats that organisations face with employees unwittingly giving up personal and corporate information to malicious actors every day. No longer limiting themselves to email scams, criminals are also targeting employees on popular social media networks, instant messaging applications, and online file-sharing services.

Traditional security training does not work

Despite all efforts, research shows that awareness training makes no difference to the likelihood of an employee falling prey to a phishing attack. Deanna Caputo, a behavioral scientist at Mitre, surveyed a group of 1,500 employees utilising a mock phishing experiment.

"If an employee clicked a phishing link they would receive training as a result. When they received a future phishing email, whether or not they received training, had no impact on their performance." 

Going Spear Phishing: Exploring Embedded Training and Awareness

The reason why security training does not work

Traditional employee security training does not work because it does not tap into employee motivation.

The key ingredient missing from security training is motivation, says Masha Sedova, co-founder of Elevate Security.

"If I'm not motivated to learn the information needed and choose to apply it, I will not change my behavior."

"If you go in almost any organisation today, you will find the same approach to this problem, and that is [the] employees taking a one-size-fits-all annual security training that they mute, skip through to the end and brute-force the quiz questions and it's showing to be ineffective." 

Masha Sedova, co-founder Elevate Security

Knowledge is not enough

Human convenience beats the human conscience every time. An example can be seen with attitudes towards password security, says Sedova.

"We assume as security practitioners, if they just knew more, they would do something differently. Lastpass did a study in 2017 and interviewed hundreds of users of their platform and found a huge proportion know what a secure password is - 91%. Yet, when you take a look at the passwords they have, they choose easy-to-remember or reuse them a huge percentage of the time - 61%."

Game or Shame - how to teach employees effectively

What it would look like if employees wanted to do security, instead of being forced?

There are three techniques that security teams can use to reduce human risks according to Sedova. These are social proof, gamification and positive reinforcement.

1. Social Proof

Social proof refers to providing evidence to a group that their peers are behaving a specific way. Elevate Security's research applied social proof to phishing, reporting and password manager adoption.

"By taking data sets of what employees are doing in an organisation, you can compare every employee's actions to their peer groups. When we compare actions to people we know, we are more likely to change our behaviours." 

2. Gamification

Gamification makes adopting a new culture an fun experience. It provides an element of challenge and rewards aligned attitudes and actions. Examples of gamification are competitive quizzes, leaderboards, 'spot a scam' challenges, or using security strength charts to compare employee behavior.

"Gamification is taking a part of the things that make gaming successful and applying it to business. Why not use those methods in security too? What if we had something in our organisation, say, number of days since last malware infection?"

3. Positive Reinforcement

While negative reinforcements such as shaming and punishment can change risky behaviors, studies indicate they have damaging side effects such as reducing employee morale.

Positive reinforcement shows that the organisation values security in a meaningful way. It means taking the time to affirm positive behaviour demonstrated by employees. It encourages dialogue and peer-to-peer encouragement and support. 

Rather than security being another box to tick, or something that has to be gotten out of the way as quickly as possible, it is instead presented as an ongoing culture of care. Employees are given positive feedback for taking care of the organisation and protecting it from risk. 

 

Also consider UEM and Wandera for endpoint security