Human behavior is a very complex landscape of instinct and biology overlaid with cultural expectations and norms. Some behavioral traits can be highly specific to a situation, too. Take, for example, how we behave while waiting in line. The relation of behavior and “queue decisions” has been looked at from many angles. Human beings have to process complex variables like how fast a teller is and the relative queue speed before making a decision. However, anyone who has been in the crush during a Black Friday event will know that the process of queuing can fall apart under the right circumstances. It is with the manipulation of natural human behavior in mind that cybersecurity awareness training programs must work. Human beings are still the weakest security link, with human error being behind 90% of data breaches, according to Kaspersky. But changing behavior is something that takes time and effort. Behavioral change, to develop better security behavior, is a goal that we must work towards if we wish to make our organization more secure.
The goals of behavior change in cybersecurity
You may well ask yourself, what exactly is a security awareness training program? When teaching your staff about security issues, you ultimately want them to not only be aware but to act on that awareness. Cybercriminals are already way ahead of the game by using our own behavioral traits to their own ends. Many cybercriminal techniques, such as Business Email Compromise (BEC) and phishing are built upon a foundation of behavior manipulation. Deep-seated human traits such as urgency, fear and trust are used by cybercriminals to perpetuate a scam. Security awareness training offers a way to change, or make aware of, certain behaviors so that cybercriminals cannot take advantage of them. Here are some behavior change goals of a security awareness training program, organized by activity.
Phishing
Activity
Phishing
Behavior
Clicking on a link Downloading an attachment
Goal
Prevent the knee-jerk behavior that leads to clicking a link or downloading an attachment, even if the email looks like it is legitimate. Teach users to recognize the signs of phishing.
Using login credentials
Activity
Using login credentials, including password hygiene
Behavior
Sharing a password Certain insecure passwords Reusing passwords Not setting second factors
Goal
Ensure that users understand the risks of sharing passwords with other staff members. Train your users in the use of secure password practices, including the use of a password manager. Ensure that users understand that setting up a second factor wherever supported is important.
See also Infosec Institute’s Password Dos and Don’ts.
Safe internet use
Activity
Safe internet use
Behavior
Poor attention to detail when using online services and websites Cloud computing now means that users are more likely to use cloud-based repositories to share and download data and documents. This behavior-tech combination is being used by cybercriminals who spoof sites using brands like Microsoft Office 365 and Dropbox which have a massive commercial audience Poor social media security awareness
Goal
To reduce the chances of malware infection via this vector. To reduce the chances of a staff member being tricked into visiting a malware infected website. Prevent information leaks via social media. Train users to spot tell-tale signs of issues such as possible spoof sites and insecure sites. If your company uses a VPN, teach your staff about why your company uses this and when and why it is vital to ensure it is switched on.
Safe mobile use
Activity
Safe mobile use inside and outside of work.
Behavior
Not using safe Wi-Fi connections Phishing (SMiShing) Sharing mobile passwords/PINs Downloading of unauthorized apps
Goal
To ensure that users know not to share data in an insecure Wi-Fi environment, such as when traveling. To look for the signs of SMiShing. To secure their mobile devices and not share PINs or passwords. To stop downloading of potentially malicious apps or apps that may inadvertently leak data.
Handling sensitive information
Activity
Handling sensitive information, including customer personal data
Behavior
Taking too much information from customers during calls or other communications Not taking due care when sending data out via email Mis-sent emails that contain sensitive information Leaving documents on printers
Goal
Data minimization must be a company remit. In the age of GDPR, this is a simple way to reduce the likelihood of mass data exposure. Create a clean desk policy that is adhered to.
Remote working
Activity
Remote working
Behavior
Working in a home office Working in a cafe Traveling
All of the above have behaviors that can lead to leaked data and company information. Goal
Increase awareness of the risks of working in an uncontrolled environment. Use of VPN on mobile devices and laptops. Use of a privacy screen. To be aware that conversations can be overheard in public places.
Conclusion: Not just behaviors, but quantifiable data
One thing that must be included in a behavior change program is feedback and metrics. These data can be used to show your staff that the program is effective. The metrics can be used to tailor the program to ensure activities are optimized. Whatever goals you decide to focus on, they should be aligned to your business. What type of cyberthreats are seen as a priority in your sector? Do business sections require a varying focus on behavior change goals? What is the risk level of each threat and can this be mapped to the expectations of a behavior change program? Behavior change may seem daunting but applied correctly and with the engagement of your staff, it will become a vital part of your cybersecurity arsenal.
Sources
Fantastic Metrics, Elevate Security 90 percent of data breaches are caused by human error, TechRadar
