Security awareness programs that work against human nature will fail
Security awareness programs should take into account that humans are basically 'lazy, social, creatures of habit,' said KnowBe4's Perry Carpenter at the CIO Boston Summit. Here are three tips.
BOSTON -- Security awareness programs are about a lot more than putting information in front of people and hoping they retain it, said Perry Carpenter, chief evangelist and strategy officer at KnowBe4 Inc., a provider of security training.
"If you try to work against human nature, you will fail," Carpenter said at last week's CDM Media CIO Boston Summit. Security practices will be perceived as an "externality," rather than an integral part of an organization.
Unfortunately, human nature is not exactly an open book, so figuring out how to devise a security awareness program that resonates with the workforce is tricky. Carpenter, who previously worked as a security researcher at Gartner, detailed three tips to achieving security awareness success, starting with a tailored organizational plan.
Personalize before finalizing security awareness programs
Carpenter said IT leaders should take stock of where the organization is in terms of security awareness. To get a sense of where everyone is, IT leaders can interview different divisions, leaders and employees, and study the work environment, he said.
"Your security awareness program may look similar to somebody else's, but it should not look like an exact carbon copy of somebody else's," Carpenter said. Each organization has subtle -- or not so subtle -- differences depending on personalities, location, language, demographic, et cetera, he added.
Does your organization have a lot of Millennials? Then viral videos might work really well for spreading security awareness in your organization. But then you run the risk of alienating your older workers -- it's a fine line, Carpenter said. Figuring out employees' strengths is critical to achieving the right balance.
"Find out what behaviors people are struggling with and what people naturally do well when it comes to security," he said. "If you have a population of people that are naturally doing the right thing, you probably don't need to train them on that -- they'll feel talked down to."
Tap into the organizational culture
Carpenter's next piece of advice: View security awareness programs through the lens of organizational culture. For security awareness to infiltrate an organization's culture, IT leaders need to understand that culture.
"A security culture lives and breathes within every organization," he said during his presentation. "The question is how strong, intentional and sustainable is your security culture. And what do you need to do about it?"
The first thing to assess is what the security culture is at your company and then how to shape that culture. To do that IT leaders will need to flex their people skills.
"You need to figure out who are those culture shapers within the organization and how do you work with and through them to get the security behavior that you want," Carpenter said.
Know and manage behavior
IT leaders can help shape "good security hygiene" by leveraging a few basic behavior management principles. The big one: Just because people are aware doesn't mean they care.
"I know that the speed limit sign says 55 mph when I pass it at 70 mph and give it the virtual middle finger," Carpenter said. "I just do an internal risk assessment because I don't care. I feel at the time that I know better than the law. Your people do the same thing. If we ignore that then we're setting ourselves --and everybody -- up for frustration."
Perry Carpenterchief evangelist and strategy officer, KnowBe4
Another big insight that will help CIOs customize security awareness programs: Human beings are lazy, social and creatures of habit.
"If we go against any of those three things [in our security awareness programs] then we have to find ways to prop them up and help them through the action," Carpenter said. "If we're not doing that then we're asking them to do something outside the context of what a human would naturally do."
IT leaders also can't effectively train people on everything at once, Carpenter added. If the goal is behavior change, IT leaders should focus on two to three behaviors at a time to avoid overwhelming employees. "You're trying to train a muscle essentially," he said. That's going to take time.
When crafting a security awareness program, Carpenter said it helps to take into account the other "stuff" in employees' lives that could affect their mood, cooperation or performance. These include everything from their world views to the behavior they observe in company executives to what they ate for breakfast or whether they had a fight with their spouse before work.
"Realize that awareness and behavior do not happen in a vacuum," Carpenter said.