An accepted truism in security is that people are the weakest link in the security chain. Acronyms such as PEBCAK exist, and we joke that we can’t update the human software. By saying this as security experts, we make it seem like there isn’t a way to improve awareness and encourage better security behavior.
The 2023 Verizon Data Breach Investigations Report (DBIR) found that 82% of breaches involve humans. Imagine giving an opponent in sports an 82% head start in a race or letting an American football opponent always start on the 18-yard line. By accepting that people are always weak, we also assume that the attackers targeting our systems are, too.
When looking at security investments, and security in general, we know perfection isn’t an option. Systems will always have new zero-day vulnerabilities, and defenses will always have a failure rate. We should stop thinking that people must be perfect to invest in training and awareness.
Let’s break down the numbers to put this in perspective. Say that you have a great solution for your company’s tech stack that cuts half of the risk. That would be amazing! But the overall reduction of a breach is only 9%, which is half of the 18% of breaches that didn’t involve human error. Now say that you have training that makes people 15% better at seeing security issues. You now have a 12.3% overall risk reduction rate. Due to the disproportionate amount of breaches caused by human error, small improvements to training and awareness reduce significant risk. You don’t need perfection but simply to improve incrementally.
It’s probably not new that you’ve been told to train employees in cybersecurity awareness to reduce human error. But are employees trained in the most effective way? Let’s review how a traditional cybersecurity training goes:
- Employees are made to sit and watch videos. They don’t really interact and forget it as soon as it’s over. We have all watched them and dread slogging through them. The videos even have to have buttons to make sure that no one sleeps through their training.
- Security teams send phishing emails and a “gotcha” page if they click it, or they might meet with the manager of the person who fell for the phish. What do the least technical people—who might be the most susceptible—do? They stop looking at important emails or are so cautious they send in false positives. This is another undesirable result.
- We talk about using security on websites and not opening suspicious emails, but we don’t explain it in a way that makes it relatable to the average user. We sit and talk shop about the differences between HTTPS and HTTP in URLs, to suspect links with the last base domain in the link and other technical security notes. We can’t assume our audience knows or cares about those nuances.
Our advice? Meet the end user where they’re at, lead with positivity and provide training that empowers them.
- Space out training. Many studies have shown that cramming doesn’t work. We learn better by learning over time and with repetition. We should have security training throughout the year instead of forcing all of the information on employees at once.
- Create fun. Any opportunity to make training fun and a game is a win. This means that engagement with the learning material goes up. Memes, narrative storytelling and other methods of gamification may be beneficial to engagement.
- Treat people as a sensor and enable them to alert others about potential threats. This is a key part. When people start to learn about security, they will start to see those urgency-inducing phishing emails or texts. And they will talk about it with their peers. A security channel in an app like Slack or other company-wide communication system will let someone say, “Hey, this looks odd!” Now everyone is on alert. One area picks it up, and others learn from it—a force multiplier.
There are simple ways to make our organizations stronger with minimal financial investment and effort. First, we should avoid talking in technical terms, but rather in a way everyone can understand easily. We need to space out training over time instead of making it an annual event. We also need to inject some fun into security training to make it a rewarding experience, which pays big dividends. And, lastly, let them communicate about suspicious threats with each other and share knowledge across the organization to enable a security-first culture.
By making security training enjoyable, we are taking back big pieces of the field from attackers, and no longer letting them have a head start on breaching our security.
