A shocking paradox: Does security awareness training increase human-cyber risk?
It’s not what you know. It’s what you do.
“Any fool can know.” — Albert Einstein
Do you remember the first time you went for dinner after lockdown? I do, for two BIG reasons.
The first is because I’d forgotten how to use cutlery.
So many options. Was it inside to out? Outside in? Stress. And where, oh where, was the shovelling fork?!?
The second reason was a little more nuanced.
When the training works…
I’d sat next to a couple who were in town for a conference. Let’s call them Harry and Vicky (not their real names).
Harry was a young man, stylishly dressed in skinny jeans, and one of those jackets with elbow pads. His hair was impeccable.
Vicky was older, excitable, oozed confidence, and seemed the more experienced of the two. She was explaining to Harry how the following day would likely go.
Vicky wasn’t quiet, but I didn’t mind. It’d been a long 18 months of solitude, and people were excited to be getting out again. Her energy was warming.
After a short time, as I was navigating my starter (and wondering if I could pull off elbow pads), Vicky shouted out…
“Look Harry! It’s one of those dodgy emails!”
I glanced up. My interest must have been obvious because Vicky looked my way. I smiled.
“May I see?”, I enquired. “I work in cyber and I love stuff like this. How d’you know the email is fake?”
Vicky handed me her phone.
“Of course! We get them all the time. Ha, they’re so easy to spot because the email address never matches the name in the email. People must think we’re daaaft!”
You couldn’t fault her.
Harry chimed in, “We got shown how to check in the online training. If you press on the sender name, it shows you the real email address!”
Again. Spot on.
I glanced at the email. It looked like the first stage of a social engineering attack.
So far so good. It’s what happened next that got me thinking.
…but you’re still at risk
Harry continued, “What ya gonna do Vik? Ya gonna report it?”
“Nah, what’s the point right. It’s not my thing to deal with.”
It’s not my thing to deal with. Let that sink in for a moment.
Vicky had successfully spotted a phishing attack. She knew what she should have done next (report it). But she didn’t.
If you’d asked Vicky to take a security awareness test, she would have passed. On paper Vicky is a low risk individual. In real life, it’s a different story.
The paradox here is security awareness training can generate a false sense of security.
On paper, people “know” what to do. On paper, you’re safe.
The more training you provide, the more people you train, the safer you think you are. But risk silently builds.
How do we stop this from happening?
Events, interventions & behaviour
The risk someone presents to an organisation is a combination of what they know, what they do, and what they feel.
Any fool can know, and any security awareness professional can measure what people know! Feelings are complicated and awkward to talk about (I’m British), so I’ll leave them for another time. Let’s talk about behaviour.
Behaviour is not what you think people do, or what people say they will do. Behaviour is what people actually do.
Events
Behaviours are triggered by events. Events force people to make a choice.
A phishing email is an event that forces someone to choose whether to report a security incident or not. Events and associated behaviours can be measured.
Interventions
Interventions are used to change behaviours. An intervention’s impact on a behaviour can also be measured.
Behaviour
Behaviour, or behaviour change, happens as a result of people’s Capability, their Opportunity (or environment), and their Motivation (a mix of self efficacy and situational understanding).
This approach is known as COM-B. We’ve written extensively about it here.
COM-B states that for a person to perform a behaviour they must (1) feel able, (2) their environment must let them, and (3) they must want to carry out the behaviour more than competing behaviours.
In essence, you need the right balance of one or more factors to change behaviour.
Bringing it all together
Let’s go back to Vicky. What might be done to make sure she reports security incidents in the future?
Capability
Vicky has sufficient knowledge. Not much else to do here.
Opportunity
Behaviours are more likely to happen if they’re easy to do. Adding a one-click reporting button to her email client would achieve this.
Motivation
Vicky feels the security of her company is someone else’s responsibility — “It’s not my thing to deal with.”
Vicky could be motivated to act by helping her understand how her actions make a difference:
- Reporting security incidents buys your security team time to investigate.
- The more time they’re given, the more damage they can prevent, the more money we save.
- The more money we save, the more booze we serve at the Christmas party.
- Thank you for reporting. Your actions make a difference.
It’s not what you know. It’s what you do.
Only increasing what people know does little to reduce human-cyber risk.
Only measuring what people know can lead to a false sense of security, whilst actual risk silently grows.
Actual risk can only be determined by measuring behaviour.
Behaviours are triggered by events, and can be changed using interventions.
To be successful, interventions must affect the right balance of capability, opportunity (environment), and motivation.
It’s not what you know. It’s what you do.
If you would like to submit an article for publication, please get in touch. The best way to reach me is LinkedIn.
