Comment

Boosting employees’ security awareness

Kris van Riper is a managing director at CEB and Dylan Moses is a research analyst at CEB.

Kris van Riper (left) is a managing director at CEB and Dylan Moses (right) is a research analyst at CEB.

President Barack Obama declared cybersecurity a top priority for 2015, which seems timely given the series of high-profile breaches in recent months. The infiltrations of the Energy Department, Army Corps of Engineers, U.S. Postal Service and IRS signal that cybersecurity has truly become an issue of both economic and national security.

With most of the media attention focused on external hackers and cyber criminals, it can be easy to overlook internal risks, yet accidental employee breaches of information security policies are a frequent and critical threat to data security. CEB research shows that employee error contributes to 48 percent of all security incidents, while malware contributes to 20 percent and hacking represents just 11 percent.

And according to a recent poll by SolarWinds, 53 percent of federal IT professionals say careless and ill-prepared employees are the greatest threat to their agencies’ security. Take, for example, the July 2013 IRS incident that started with simple human error and ended with nearly 100,000 Social Security numbers compromised in a public database.  

CEB research shows that although the average organization invests significantly in employee security training and communications campaigns, most fall short of achieving compliance. In fact, we found a complete lack of correlation between spending and compliance.

By not considering the mindset of their employees when creating campaigns, chief information security officers (CISOs) consistently capture the wrong metrics and therefore misdiagnose compliance issues. Our research shows that leading organizations that focus on employee behaviors tend to conduct more effective training campaigns, which can decrease human error by at least two-thirds.

In order to address and safeguard against risky end-user behaviors, CISOs should consider the following elements when designing and implementing a security program:

* Understand employees’ behavior. The most effective campaigns identify the “why?” behind employees’ lack of compliance, which can include a lack of awareness of policies or a lack of emotional commitment to information security. Capturing employee behavior requires a case-by-case assessment of how end users operate, what drives their actions and how they perceive the CISO’s awareness efforts.

* Craft different messages for different users. Employees have different patterns of risky behavior, with most of the variability based on role and seniority. Leading CISOs tailor their campaigns for different groups with different risk profiles. They pay special attention to the content being delivered and how it’s delivered. Recognizing a campaign’s “look and feel” can increase the likelihood that employees will remember and act on campaign communications.

* Create an incentive program. Detailed training and communications do not necessarily prompt a change in employees’ risky inclinations. Instead, the most effective CISOs incorporate incentives for adopting safer behaviors as well as consequences for failing to do so. Our research shows that incentives, which can be as simple as recognition from a manager, can be just as productive as more costly training or communication efforts.

* Benchmark employees’ current awareness level. Leading information security organizations measure compliance to trace the successes and failures of particular aspects of their awareness programs. Measuring employees’ behaviors helps CISOs understand employees’ perceptions and actions in order to address risky behaviors as soon as they arise.

Although the federal government faces many challenges in IT security, internal employee awareness is one area where agencies can quickly and effectively reduce risk. Keeping end users in mind when developing compliance campaigns can save agencies time and money while helping them better serve the public.

About the Authors

Kris van Riper is a managing director at CEB.

Dylan Moses is a research analyst at CEB.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.