Why Organizations Need More Than Just “Security Awareness”
It has been debated whether or not security conscious behavior and awareness can be changed. As highlighted in the Verizon DBIR 2020 report, human error is the main cause of successful cyber attacks.
The report reveals that 74% are caused by human error, and nine out of ten incidents.
This emphasizes the fact that, while employees can be a major risk to our organization, they are also our strongest defense.
To maximize this potential, organizations must go beyond the traditional “security awareness programs” and create a culture which fosters unconscious competency in secure behaviors.
The Gap Between Awareness and Action
For decades, security awareness programs have existed. However, many organizations are still facing a large gap between their aspirations and reality.
Under pressure to be quick and convenient, employees often disregard cybersecurity practices for business purposes. Employees can still make mistakes despite their understanding of the risks, due to increased cognitive load.
Understanding threats and how to react is part of security awareness. However, raising awareness alone does not guarantee risk reduction. Many employees understand the risks of security but lack confidence or motivation to alter their behavior.
Cyber Security: From Cyber Awareness to Secure Behavior
Businesses must move away from awareness and focus on behavioral changes to create a culture that is truly security-conscious. Secure behavior is the way individuals react to real-life risks and threats.
It is influenced by such factors as:
- Capability
- Attitudes
- Justification processes
- Social norms.
This culture is built over time through consistent efforts. At first, employees are unaware of their risks and unconsciously incompetent.
They become incompetent through training.
They are aware of the dangers but they have not been properly prepared to deal with them. They become more competent at making good decisions with practice and additional support. However, they still need to be actively focused.
The ultimate goal of competence is to be unconscious. It becomes second nature to act in a safe manner, just like driving a car or riding a bicycle. As security becomes part of an organization’s DNA, employees begin to act in a secure manner without even thinking about it.
Dig an Security-Conscious culture
Shared beliefs and behaviors are the foundation of a security-conscious culture. It encourages a collective approach to protecting an organization’s systems, data, and reputation.
Social norms are the driving force behind this culture, which is reinforced by transparent cybersecurity discussions.
They must be confident that they can act in a secure manner. Employees should have the latest resources and tools to keep up to date on the threat landscape.
Cyber-threats have evolved, and so the training required for cybersecurity must be more than generic. The training should be customized to fit the unique threats faced by the organization, including remote working environments, new threat vectors and industry-specific risk.
Measurement of The Shift to Unconscious Competence
How can we assess the progress towards unconscious competence? Outcome-driven metrics are key to assessing resilience and risk reduction. These metrics give executives critical insight and help CISOs identify the areas that need attention.
Using data from multiple sources to monitor continuously allows for timely adjustments, and ensures that resources are allocated to initiatives which reduce risk and enhance security culture.
The Benefits of an Security-Conscious Cultural Attitude
The culture of unconscious competence goes beyond technical controls. Humans, as customers and primary users, are the ones who introduce vulnerabilities. In today’s cyber landscape, it is impossible to ignore the human factor.
In addition to improving security on all levels, fostering a culture of security has many other benefits.
- Protecting your brand reputation
- Regulatory compliance is essential
- Building organizational resilience
- Enhancing competitive advantage
A security conscious culture also encourages collaboration and innovation. It allows employees to share ideas with confidence, driving innovation and maintaining security.
Final Thought
Organizations must move beyond the traditional security awareness program and introduce a culture of security.
Businesses can improve their security by integrating security into the daily decisions and operations. Protect themselves from evolving cyber threats. It takes time to build this culture, but it will result in a more resilient company where security behavior becomes second-nature.
Investing continuously in learning and promoting security-conscious behavior empowers employees to become vigilant, proactive and confident about protecting their organization. This shift from conscious to unconscious competence in today’s cyber world is not only beneficial, but vital.
FAQs (Frequently Asked Questions)
1. What is the difference in security awareness and security-conscious cultures?
Knowing about threats and risks is security awareness. Security-conscious cultures encourage safe behavior to become a habit. This goes beyond knowing; people act in a secure manner all the time.
2. Why do traditional security program fail?
The traditional programs educate people about the risks, but they don’t change their behavior. If employees feel rushed, or believe security is a burden, they may ignore risk.
3. How can organizations help their employees to act in a secure manner?
Businesses can foster a culture that places security as a top priority. It is important to provide regular training and reduce distractions.
4. What is ‘unconscious competency’ in cyber security?
Unconscious competence is when people adhere to security rules without even thinking about them. They recognize phishing emails automatically, like they would after driving a car.
5. How can we determine if a company has a culture that is security-conscious?
You can do this by monitoring behavior changes, reviewing security incidents and using specific goals. Regular feedback ensures that the culture improves and employees remain alert.
6. What are the social norms that influence security behavior?
Social norms influence how people behave. Everyone in the organization will follow if everyone focuses on safety. This creates a shared sense of responsibility.
7. What are the advantages of a culture that is security-conscious?
A strong security culture reduces risk, protects data and prevents costly breaches. This also improves compliance, builds trust and makes the business more competitive.
8. How can businesses balance security with speed?
Businesses should include security in their daily routines without slowing down the work. The right tools and training help employees to see security as a part of their jobs, not a separate task.
Gaynor Rich, CISM
Security Leader & CISO
