Ninety-five percent of cybersecurity breaches are the result of human error. However, most organizations, provide only cursory training on the cybersecurity best practices and responsibilities expected of the workforce. Typically, this is a simple briefing that one can click through in 20 minutes and answer easy questions to “test” one’s preparedness. The purpose of such annual refreshers is not to improve the overall security awareness of employees but to ensure that the organization has complied with training regulations and expectations. This compliance mindset is leaving most enterprises woefully unprotected in the face of advanced cyberthreats.
More cybersecurity training is certainly helpful. In its 2020 annual report, the FBI’s Internet Crime Complaint Center (IC3) found phishing to be by far the most common attack type. Some organizations test their workforce with fictitious phishing emails to identify employees who need remedial training and those who are their most vigilant. But training and education are only a piece of the puzzle; organizations can and should do more to deter poor cyber behavior and reward good behavior.
There are lessons to be drawn from the field of behavioral economics about how to nudge employees in the desired direction to enhance security behaviors. For example, many big enterprises force updates and patches on their network endpoints, eliminating the ability of users to choose to put off an update that might interrupt the work they are doing. But this is low-hanging fruit. To overcome the habituation of ignoring browser warnings about potentially unsafe sites, user interface developers could alter the shape, color, and location of such warnings at random to eliminate the propensity of a user to simply click through what they assume is a false positive.
In some cases, security staffs are highly restrictive. For example, some companies disable links in emails, so employees cannot inadvertently click on malicious content. Others go so far as to disable HTML in their email and eliminate the ability to send or receive anything but plain text. These measures, while undoubtedly secure, also hinder productivity in many ways. And by simply forcing these measures on employees, companies do little to train or cultivate good behaviors.
Forced patching and updates align to focus on compliance, rather than changing workforce habits. And it is in some ways understandable that security teams feel these forced measures are necessary: Time scarcity is a major driver of poor decision-making in general, but specifically with respect to security. With a focus on deadlines and juggling multiple tasks, people don’t tend to click “OK” on updates that will force a restart, and they don’t pause to notice what might be “off” in an email purportedly coming from their boss that is actually a phishing attack. It’s nearly impossible to slow the pace of managers’ expectations of their employees’ output, but it is possible to provide incentives and disincentives to employees adopting more careful security behaviors.
Profit/Loss leaders are incentivized on several metrics, but chiefly revenue, sales, and profitability. Adding security-focused metrics to managers’ incentives may help build stronger security-focused cultures across enterprises. These metrics are harder to develop than dollars and cents, but items like reported phishing attempts or time without an incident may be relevant. If these might be the carrot, there can also be sticks. Employees who click on malicious links or fall victim to phishing attempts multiple times may have their permissions reduced or be put on performance improvement measures.
Security leaders focus on compliance because, in many cases, regulatory measures require them to and because compliance is easily measured in checklists and does not require developing a sense of an enterprise’s security culture. Compliance will always be important, but the statistics showing the increasing incidence of cybercrime and espionage scream that it is not enough to secure most enterprises. The fix to the vulnerability of the workforce is organizational: Security staff should consider adding behavioral scientists to their ranks to help assess organizational security culture, develop “nudges” toward adopting better cybersecurity behaviors, and develop incentives for practicing these behaviors. If 95% of all cyber incidents are a result of human error, starting to solve the human problem seems most likely to deliver meaningful results.
About the Authors