When it comes to an organization’s employees, the security community has a common refrain: “People are the weakest link.” However, we need to reframe that thinking: People are the primary attack vector, and only become the weakest link when security professionals fail to adequately train them, said Lance Spitzner, director of SANS Security Awareness, in a Tuesday session at RSA 2019.

Organizations invest in security technologies for machines, like firewalls, authentication measures, and antivirus solutions. However, far fewer investments are made in employees, Spitzner said.

“We’ve done such a good job at securing the technology, we’re driving the bad guys to go after the humans–the one operating system we’ve failed to secure,” Spitzner said.

SEE: Security awareness and training policy (Tech Pro Research)

Organizations fall somewhere along the following security awareness maturity model, which moves from immature to mature, Spitzner said:

  • Non-existent
  • Compliance-focused
  • Promoting awareness and behavior change
  • Long-term sustainment and culture change
  • Metrics framework

“You’re not truly mature until you’re not only changing behavior and culture, but you have the framework to demonstrate that change,” Spitzner said.

Challenges to security awareness

Security professionals come across the following common misconceptions and challenges when it comes to cybersecurity awareness programs, Spitzner said:

  • Awareness programs never work.

Many security professionals say that they have an awareness program, but it isn’t working, Spitzner said. Often they are referring to a compliance-focused system, in which employees receive one training presentation per year to check a box.

  • Awareness programs are a failure, because someone always clicks.

It’s impossible to eliminate all human risk, but it can be controlled and reduced, Spitzner said. When security professionals say “All it takes is one click and your network is done,” they have larger problems, because that would mean that every other measure failed, he added.

  • Awareness is just about human prevention.

This attitude limits your security posture, Spitzner said. “You have a workforce of human sensors–teach them indicators of an attack, get them identifying and reporting it,” Spitzner said. “Total prevention is impossible–it’s all about resilience, detection, and response.”

To change people’s behavior, cybersecurity professionals can look to the Fogg Behavior Model, which states that behavior is determined by motivation, ability, and a prompt or trigger. “The easier something is to do, and the more motivated someone is, the more likely they exhibit the behavior when they get the prompt,” Spitzner said.

SEE: Password Policy (Tech Pro Research)

This is where a common challenge comes in: Security professionals perceive this as easy, when it’s actually difficult for most people, he added. “The more of an expert you are at something, the worse you are at communicating it,” Spitzner said.

For example, security professionals often make fun of bad passwords, Spitzner said. But they also tell employees to make up difficult, unique passwords for every account, but never write them down. Instead, they should be teaching them to use things like password managers or two-factor authentication to simplify things, he added.

How to change security behavior at an organizational level

To change security awareness behavior, security professionals must start with a strategy, answering these questions: What is the overall goal of the program? What objective support that goal? What is the scope? What key metrics will measure success?

Then, they need to determine what the objectives are, ensuring compliance with GDPR, PCI DSS, and GLBA, identifying and managing the top five human risks, and creative a positive cybersecurity culture where employees feel responsible for and value security, Spitzner said.

These are the three key elements that cybersecurity pros need to include in a strategic plan, according to Spitzner:

1. Who are you targeting in your program?

New security awareness programs often start by targeting the entire workforce, Spitzner said, which can be helpful for developing a common baseline of secure behaviors for all employees. However, as your program matures, you must start identifying high-risk groups, such as developers, leadership, accounts payable, human resources, help desk, and interns. Identifying these groups will drive how you determine what their specific risks are, and how to change those behaviors, as it will be different from every group, Spitzner said.

2. What behavior do you want people to change or exhibit?

People often experience cognitive overload after a compliance-focused security training, Spitzner said. This means security professionals should focus in on only a few elements during a security awareness training. “You need to identify the top risks and keep them as few as possible,” he added. “The fewer risks you focus on, the more likely you are to change behaviors.”

Top human risks tend to include social engineering/phishing, weak or shared passwords, and accidents, such as sending sensitive data to the wrong source due to auto-filled email addresses, Spitzner said. However, it’s important to focus on the data to determine what these risks actually are, he added.

3. How will you change those behaviors?

Yearly training won’t change employee behaviors, Spitzner said. “You have to continuously reach out to people throughout the year, and you have to do it in a variety of ways,” he added. This means getting people who are strong communicators involved, Spitzner said, to ensure that employees understand the messages being sent. You should also try different methods, including simulated phishing attacks, card games, escape rooms, infographics, and memes, to teach security awareness, he added.

Every plan needs to have metrics in place to measure success and communicate impact over time, Spitzner said.