Shaking up security awareness: How one organization is building a culture of security
Human beings are naturally good at making connections and engaging in behaviors and relationships; these behaviors and norms of a society build a culture. Connecting to a subject and engaging in its content is part of the learning process, too. This engagement process is used in security awareness training to help improve understanding of often dry and complex subjects. Creating an environment where security-first thinking becomes second nature is the golden chalice of security awareness training. Getting there requires employee engagement; if engagement levels are high, the training is more effective, resulting in a culture of security that permeates your organization.
Organizations like Johnson County in Kansas have successfully achieved a culture of security by driving employee engagement using fun and games. How they do that is the secret sauce of security culture creation.
ChatGPT training built for everyone
What defines a strong culture of security?
An Infosec survey that explored how to quantify a security culture revealed some interesting insights. One of these insights shows that 31% of respondents found that their organization's cybersecurity awareness training (SA&T) was only a "little engaging or not engaging at all." That's a telling statistic; if a third of your employees do not engage with security training modules, they will not connect the dots needed to create a strong culture of security within an organization.
You know that you have developed a strong culture of security when your employees actively use security best practices. Infosec has created a framework based upon the results of intensive surveys carried out across industry sectors to measure the level of engagement. This framework allows an organization to track its success score in developing a cybersecurity culture across five domains.
Domain one: Confidence.
Do employees feel they can use their cybersecurity knowledge in a practical manner?
Domain two: Responsibility
How an employee perceives their role within organizational security.
Domain three: Engagement
How willing are employees to participate and apply available resources to support and improve personal security behaviors?
Domain four: Trust
The perception of the security posture and security processes at an organization by its employees.
Domain five: Outcomes
How do employees perceive the consequences of a security incident at their organization?
Donna Gomez of Johnson County told Infosec about her practical experience delivering engaging security awareness training to build a security culture.
Scoring high with engaging security awareness
The antithesis of engagement is blame. Gomez explained that Johnson County deals with a cybersecurity event by avoiding blame — after all, the person who has been tricked by a phishing email or is socially engineered is a victim. Gomez told Infosec, "I look at that non-engaged 31% as not being connected to the SA&T (security awareness and training) material. They are simply going along with the program. And, if you're going to punish people, they're going to disengage."
The research shows that certain forms of negative feedback, such as punishment, contribute to security awareness disengagement and can cause a SA&T program to fail.
Gomez uses the Infosec framework to help Johnson County measure the effectiveness of its SA&T program. She told Infosec that she was "really excited when I saw that our average was 3.84 across all five domains." Gomez said that seeing a high score of 4 for trust and responsibility was most encouraging as this high score demonstrated to Gomez and her team that they had successfully changed the security mindset of employees. To achieve this, Gomez and her team took a stance that security is not an IT issue because it impacts everyone. It is the responsibility of us all.
The fun and games of engaging security awareness training
Creating and maintaining an engaging security awareness training program does take commitment. As Gomez reminded us, "It's (security awareness) not an IT problem. It is not an HR problem. It's a human problem, and you must deal with the user community."
Engagement in security training can be broken down into four core elements that will help keep that entire community engaged.
No blame policy
Removing the concept of employee blame from a cyberattack creates a framework of trust that allows a security culture to develop unhindered. Gomez pointed out, "Employees needed to believe that they won't face serious consequences if they caused a security event." This transparency, openness, and understanding have helped Johnson County improve its trust score. Employees must be able to approach management and report cyber incidents to allow triage and response to happen quickly to mitigate the impact of a cyberattack. In the case of Johnson County, this open-door, no-blame policy increased incident reporting.
Boost employee confidence
Confident employees are more likely to engage in security awareness training. This building stone of a security culture is helped by the no-blame policy. At Johnson County, confidence boosted security awareness, "we were close to a score of four in confidence, but we still need to improve our score; employee confidence shows us that we are doing the right thing and that all parts of the awareness puzzle are in place."
Share ideas
Keeping employees' interest when going through security awareness content is a must-have to maintain engagement. Sharing ideas helps cement the relationship with the training and adds to the engagement in the SA&T program. As Gomez put it, "just try anything, and don't be afraid to try something new." Engagement comes by asking employees to share an idea. At Johnson County, one such request resulted in the "phishing derby" where staff can win prizes. Similar initiatives at Johnson County created a "choose your own adventure series" as a module within the SA&T program. One of the adventures was called "Security Feud." The game became more sophisticated as time went by.
Keep it going
One of the key aspects of a successful security awareness program is to keep it going. Gomez told Infosec that she plans to use the Infosec framework scoring at least twice a year. She intends to do so at key junctures in the cybersecurity calendar, namely, July for Phish Week, (Johnson County's play on Shark Week") and again during Cyber Security Month in October. Once the scores are in, they can be used to measure change. These data can be shared with everybody to show progress: "Hey, look where you are." We can also use the results to find out who trained across the entire county, using the scores to compare results and identify areas of improvement.
The aha! moment in security awareness engagement
Aha moments are always useful to hear about as they can provide a deep understanding of a given situation. Infosec asked Gomez if she could give us her aha moment regarding security awareness engagement. Gomez told us, "Back in 1999, when I started out in the industry, I would tell people, 'don't click on attachments and emails.' From that starting point to where I am now, in every single program, the most important lesson learned is 'don't punish'. Instead, ask and learn from your people. Take the leadership approach. Find out where your users are and use the knowledge management and training design approaches. Assess individual needs as every individual learns differently. And the way they interact with information at a point in time is going to be different. You will have to try different ways of delivering a message and be willing to accept the fact that you don't know everything, and you will have to adjust."
ChatGPT training built for everyone
Shake-up engagement to build a security culture
Engagement is about connecting to the individual learner, understanding what makes them tick and how to leverage that. The pathway to a security culture is through this engagement. Gomez has practical experience in doing this and has won an InfoSec Excellence Award for exceptional engagement in SA&T. A final word from Gomez explains why she stands out from the crowd in the delivery of security awareness training. She told us, "To engage people, you must not be afraid to try something new — shake it up — throw a curveball in the middle that just catches staff off guard, something that is completely different."
Sources:
- Infosec, Cybersecurity Culture — Quantified
- Infosec excellence Awards, Donna Gomez: Security Risk and Compliance Analyst , Johnson County - State of Kansas
ChatGPT training
In this Series
- Shaking up security awareness: How one organization is building a culture of security
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization