By designing security training tailored to employees’ behavior, agencies can quickly reduce risk -- and save time and money
Kris van Riper (left) is a managing director at CEB and Dylan Moses (right) is a research analyst at CEB.
President Barack Obama declared cybersecurity a top priority for 2015, which seems timely given the series of high-profile breaches in recent months. The infiltrations of the Energy Department, Army Corps of Engineers, U.S. Postal Service and IRS signal that cybersecurity has truly become an issue of both economic and national security.
With most of the media attention focused on external hackers and cyber criminals, it can be easy to overlook internal risks, yet accidental employee breaches of information security policies are a frequent and critical threat to data security. CEB research shows that employee error contributes to 48 percent of all security incidents, while malware contributes to 20 percent and hacking represents just 11 percent.
And according to a recent poll by SolarWinds, 53 percent of federal IT professionals say careless and ill-prepared employees are the greatest threat to their agencies’ security. Take, for example, the July 2013 IRS incident that started with simple human error and ended with nearly 100,000 Social Security numbers compromised in a public database.
CEB research shows that although the average organization invests significantly in employee security training and communications campaigns, most fall short of achieving compliance. In fact, we found a complete lack of correlation between spending and compliance.
By not considering the mindset of their employees when creating campaigns, chief information security officers (CISOs) consistently capture the wrong metrics and therefore misdiagnose compliance issues. Our research shows that leading organizations that focus on employee behaviors tend to conduct more effective training campaigns, which can decrease human error by at least two-thirds.
In order to address and safeguard against risky end-user behaviors, CISOs should consider the following elements when designing and implementing a security program:
* Understand employees’ behavior. The most effective campaigns identify the “why?” behind employees’ lack of compliance, which can include a lack of awareness of policies or a lack of emotional commitment to information security. Capturing employee behavior requires a case-by-case assessment of how end users operate, what drives their actions and how they perceive the CISO’s awareness efforts.
* Craft different messages for different users. Employees have different patterns of risky behavior, with most of the variability based on role and seniority. Leading CISOs tailor their campaigns for different groups with different risk profiles. They pay special attention to the content being delivered and how it’s delivered. Recognizing a campaign’s “look and feel” can increase the likelihood that employees will remember and act on campaign communications.
* Create an incentive program. Detailed training and communications do not necessarily prompt a change in employees’ risky inclinations. Instead, the most effective CISOs incorporate incentives for adopting safer behaviors as well as consequences for failing to do so. Our research shows that incentives, which can be as simple as recognition from a manager, can be just as productive as more costly training or communication efforts.
* Benchmark employees’ current awareness level. Leading information security organizations measure compliance to trace the successes and failures of particular aspects of their awareness programs. Measuring employees’ behaviors helps CISOs understand employees’ perceptions and actions in order to address risky behaviors as soon as they arise.
Although the federal government faces many challenges in IT security, internal employee awareness is one area where agencies can quickly and effectively reduce risk. Keeping end users in mind when developing compliance campaigns can save agencies time and money while helping them better serve the public.