Security Awareness: Three Lessons From Health Campaigns
“If you are doing the same things you did five years ago to keep your business and its data secure, then you do not have an effective security awareness program.” — Michael Corey, technologist and columnist.
A recent study found that nearly 4 out of 5 health care IT executives view employee security awareness as their biggest information security concern. Verizon’s “2017 Data Breach Investigations Report (DBIR)” found that cybercriminals used social attacks in 43 percent of breaches, while 66 percent of malware was installed using malicious email attachments. Meanwhile, 7.3 percent of users fell for phishing attacks by clicking a malware-laden link or opening an attachment.
Fool Me Once…
When it comes to figuring out how well we help people learn from their mistakes, the numbers tell a bleak story. Of the users who fell victim once, 15 percent took the bait a second time, 3 percent clicked malicious links more than twice, and 1 percent fell victim more than three times.
Both the DBIR and IBM X-Force reported a large rise in business email compromise (BEC) scams. In a May 2017 public service announcement, the FBI reported that BEC and email account compromise attacks cost organizations across the globe over $5 billion from 2013 to 2016. From June 2016 to December 2016, the FBI’s Internet Crime Complaint Center (IC3) recorded over 3,000 victims, for a total of nearly $350 million.
Three Parallels Between Health and Cyber Hygiene
As these numbers show, there is room for improvement when it comes to cybersecurity awareness. Thankfully, the health field shares many parallels with information security, and chief information security officers (CISOs) and other leaders can draw lessons about running effective security awareness programs from health care organizations.
1. Security Awareness Is Not About Awareness
The key takeaway from this first lesson is that organizations and their leaders should stop looking at cybersecurity awareness like a set of quarterly sales figures to achieve, or worse, a short-term initiative to reprogram their employees. Any shortsighted efforts to achieve quick results will likely disappoint, much like trying to quit a bad habit overnight.
Security awareness is a misnomer — the real goal is to get employees to make better decisions when faced with choices that can impact the organization’s security posture. Security awareness is much more about culture and behavior than awareness. For example, millions of people know that smoking is bad for their health; the real issue is getting people to change their behaviors. One of the best ways to impact behavior in the long term is to change the culture.
According to CLTRe’s recent “Security Culture Report 2017,” “human behavior is dependent not only on knowledge (awareness), but to larger extent on organizational culture, norms, attitudes and other sociopsychological factors. Awareness is just one of many factors contributing to secure behavior.”
Creating a culture of cybersecurity means not only looking at long-term organizational changes, but also examining the very fabric of how information, values and behaviors are communicated and shared within the members of the cultural unit — in this case, the organization.
Simply knowing right from wrong isn’t enough to change behavior. If it were, most of us would behave like angels all the time. In addition to knowledge, we need to focus on sharing company values and monitoring employees’ attitudes toward information security messages and choices. If a supervisor demonstrates carelessness and brushes off security hygiene, this attitude will quickly resonate with employees and foster a culture of lax behavior.
2. Everyone Needs Constant Reminders
It is common to hear IT security folks lament about the need to constantly remind employees about security awareness. Somehow, we seem to overlook the other awareness and behavioral transformation campaigns that surround us every day related to subjects such as healthy eating, the dangers of smoking and drinking, and the value of exercise.
One of the most visible and long-running campaigns seeks to emphasize the importance of hand-washing hygiene. It argues that proper hygiene is critical to protect ourselves and our loved ones, clients and society at large from bacteria and diseases. Such simple steps can help minimize exposure to superbugs and thus reduce the use of last resort antibacterial drugs.
The lesson for security leaders is fairly simple: All employees should receive regular reminders about their security hygiene. So let’s laminate a poster and plaster it all over the walls and be done with it, right? Not so fast. How many people have you noticed using the bathroom and not properly washing their hands afterwards, despite numerous, clearly visible signs urging them to do so?
Reminders are good, but boring messages are largely ineffective. Hand-washing campaigns are still evolving, and the messaging is continuously fine-tuned to elicit better behaviors. One approach is to tweak the framing of the awareness message. Another is to measure engagement with the message itself and seek better results.
Now contrast the hand-washing campaign with your own cybersecurity awareness program activities and reminders. Do you subscribe to the once-a-year broadcast messaging approach? Do you use a more fine-grained approach with awareness and reinforcement in the nick of time? What about financial incentives?
3. Incentives Work in the Short Term, But Peer Pressure Works Long Term
According to Harvard Business Review, a California hospital conducted a study in which employees were paid a one-time bonus of $1,200 for meeting performance target goals for a hand-washing campaign. Due to the way the hand hygiene data was collected, every single employee at the hospital was responsible for achieving the hygiene goal. If anyone slipped, all would miss out on the bonus.
Employees habits did change during the campaign and everyone received the bonus. However, the most interesting lesson from this study isn’t that the financial incentive resulted in a behavioral change — such changes are usually short-lived and only effective while there is an incentivizing carrot, so to speak, for employees to chase.
Instead, the study offered a different way to achieve long-term behavior modifications: peer pressure. While hospital employees tended to their hand hygiene to earn the reward, a different group of people — physicians — found themselves under peer pressure to comply with the organization’s target hygiene goals, even though they were not eligible for the reward (under California law, physicians cannot be employees of the hospital).
While hospital employees changed their behavior quickly to earn their one-time cash incentive, that behavior didn’t last beyond the incentivized period. Instead, the study reported that doctors, while initially slow to change their behaviors, not only improved their hand hygiene, but also had their new behavior last longer. The cash incentive created what the authors of the report called “a contractual expectation.” They further cautioned that for some participants, “the absence of further payments would justify withholding the behavior.”
Where Do We Go From Here?
The CLTRe report provided deep insights to help CISOs move from security awareness toward a culture of security. For example, the report found that the top factors that positively impact employee behavior were the norms in place to support the security culture (beta of .35), followed by attitudes toward security (.10), compliance with policies (.10), and knowledge and awareness (.10). Simply put, knowledge and awareness are not enough to drive proper security behavior by themselves.
The Verizon DBIR encouraged security leaders to enact their influence and clout to encourage employees to report suspicious emails. But don’t just give your IT department a budget increase to create a new awareness campaign. A recent Forrester report warned that “unless you have a communications background, you need help with the education and messaging components,” CIO reported.
In other words, treat cybersecurity awareness as a long-term, multimodal, multidisciplinary campaign that will need to explore different approaches to impact behavior.