Organizations need to change their approach to security awareness and training to reduce the threat of phishing attacks and other risks based on human behavior.
Tim Ward, CEO of Think Cyber Security, told attendees at Infosecurity Europe 2022 that security teams can “nudge” colleagues towards more secure behavior. This will be more effective than conventional classroom-based training and e-learning.
Security awareness should follow the EAST principles, said Ward, and be “easy, attractive, social and timely.” Ward referenced the Fogg model: prompts to change behavior will be successful if the action is easy to do or the person doing it is highly motivated. This is where much security training falls short, he argued.
Instead, measures such as anti-phishing campaigns are far more likely to work if they are timely and based on the context of users’ day-to-day work.
An email or business application alert is much more likely to deter someone from clicking a suspect link or opening an attachment than training away from their desks. Training and advice should be topical and ideally in “bite-sized chunks.”
“If the risk is with email, then remind them when they are in the email application that phishing is a threat,” said Ward. “Make it easy. Don’t expect people to be experts, but make it really easy, so if they are not sure about an email, they report it.”
However, cybersecurity awareness should not be left to an annual or quarterly training schedule. This is rarely effective, but research says regular reminders and prompts can build awareness. A system could, for example, remind someone who has been out of the office or on vacation of risks when they next log on to an application.
“Annual or quarterly awareness is not timely enough,” Ward warned. Prompts, training and awareness materials and content can even refer to topical events outside the business. “You want to nudge people from time to time and remind them,” he said.