Ashton Tupper

Improve your company’s cyber security training with top tips from a behavioral researcher

Today marks the final stretch of National Cyber Security Awareness Month (NCSAM), and for the final week, we decided to sit down with Sal Aurigemma, PhD, Associate Professor of Computer Information Systems at the University of Tulsa, to get his take on enterprise security training. 

As with many other things that have been impacted by COVID, enterprise security training is no different. Many organizations are heavily reliant on training and preparedness programs at the moment to help employees navigate the adoption of new technologies and processes, as well as mitigate threats from the rising number of phishing and man-in-the-middle attacks. But just how effective are these programs, and are they actually influencing user behavior? We’ll find out. 

Dr. Aurigemma has more than 20 years of experience in the information technology industry as both an educator and behavioral researcher. Dozens of students come through Dr. Aurigemma’s undergraduate and masters programs each year to learn about proper cyber security hygiene using tools like the YubiKey, and he’s explored topics related to security policy compliance and end-user security practices in his research over the years. 

What is the biggest problem you see with employee training programs today?

Perhaps the most frustrating problem I see in the organizations I have worked for, and those I work with today, is a pervasive “check-box” approach to information security awareness training. By this I mean one of two things, and often both:  

1) It is still somewhat treated as a one-and-done compliance checklist that is completed on an annual or quarterly basis. With the possible exception of anti-phishing testing where organizations use tools and services to run their own phishing campaigns, there is little to no reinforcement of the reason behind why it’s important to safeguard the organization. 

2) A one-size-fits-all training doesn’t work. We know that we have certain sectors of our workforce that are more likely to be targeted by potential adversaries. Yet, in many cases, the training given across the workforce is largely the same, even though the threat and techniques can vary based upon the target. 

What are three things organizations can do to improve the efficacy of their cyber security training programs?

My number one recommendation is the hardest to achieve – make sure that your infosec awareness training is properly resourced. This means that you have enough people running the program and those people are properly trained to create and administer effective training programs. If your organization treats security training as a collateral duty, do not be surprised when it fails to meet expectations.

Secondly, ditch the one-size-fits-all approach, at least when it comes to security training and attention. We know certain groups of employees are targeted more often than others, or targeted in different ways, so we need to prepare them accordingly. For example, senior executives, IT system administrators, and HR team members are the top three target populations, and they are typically targeted using different techniques. Their training should reflect that. The same goes for different employee demographics — the lessons or examples that are most impactful for one group of employees may be very different for others.  

Finally, I would recommend that every organization develops a set of training outcome metrics and then use them to continually assess and improve your training programs. This can be challenging, but it is worth the effort. If you have certain employees or employee groups that keep “failing” some aspect of your training, that is a sign that your training and/or security mitigations are not sufficient. But, you won’t know that unless you measure and monitor.  

How do you foresee the influx of remote work, spurred by COVID, impacting the approach to cyber security training? How should organizations adjust and what should they consider that maybe they haven’t before? 

My primary fear is that the increase in remote work will further distance employees from the security training staff and the messages they bring. What we don’t want is more “watch this video to complete your training” requirements that replace impactful interactions with the organization’s security staff (whether face-to-face or virtual). 

Given that the work-from-home movement is here for a while, or possibly here to stay for some organizations, it is somewhat critical to do a complete review of your security training needs and develop a plan to adjust accordingly. For example, does your current security training plan account for the significantly greater emphasis on remote connectivity and interactions, and the increasing threats — like phishing and man-in-the-middle attacks — that come with that? Do your employees understand which threats are now more prevalent or dangerous than before because of the extension of the workplace to their home office network? 

In an ideal world, this shift to remote work would be the catalyst organizations need to embrace a more tailored security awareness training approach that accounts for an employee’s job role, location, access, experience level, and other demographic characteristics. If and when we return to a more normal workplace life, we will be better positioned to continue to adapt and improve our security awareness programs.

Not all employees will follow through with best practices, even with a perfect training program. What are the primary factors that inhibit users from adopting new security technologies or practices?

A significant portion of my research activities are focused on better understanding inhibitors and facilitators of sound security behaviors, and if I had to narrow it down to three potential reasons why people do not take security actions, even when they know they should, I would say it is due to:  

1) Threat apathy 

2) Response efficacy

3) Inconvenience

Threat apathy occurs when individuals do not pay attention to security because they do not consider the recommended or required security action (and its related threat) to be important. It could be because they don’t feel important enough to be a target of cybercriminals, or that they believe their online accounts aren’t worth stealing. Overcoming threat apathy requires the use of convincing and compelling security messaging that explains why the action is important, on a personal and organizational level, and the potential consequences of failure.  

Response efficacy is an academic way of saying that people may not know enough about, or have confidence in, a particular recommended security action. A great example of this is two-factor authentication (2FA). It is not a secret that we should use 2FA wherever and whenever we can. However, most people don’t know the differences between the various types of 2FA mechanisms, which ones are more secure than others, or how they work. Security training programs should not just articulate the threat and required security actions; they must also make it clear that the requested actions are sufficient to the task and, to some extent, explain how.  

Inconvenience is a real factor that influences our security behaviors.  As humans, we are constantly calculating the costs and benefits of doing things and we generally know what happens when the costs outweigh the benefits. Enterprises have to design and implement security mitigations with this in mind and work to balance maximizing the security benefit while minimizing or eliminating the inconvenience factor. If we don’t design security mitigations with the end-user in mind, the end-user may find ways to avoid or diminish the effectiveness of those mitigations.

On the contrary, what have you observed to be primary motivators for adopting new security technologies or practices?  

One of the latest research trends in behavioral information security that I feel strongly about is a shift from sanction or threat-based compliance to one that adds positive reinforcement and messaging. By this I mean that many security policies and training programs are focused on “compliance-or-else” messaging. In short, employees have something to fear if they don’t follow the rules. Fear-uncertainty-doubt (FUD) is used too much in the cyber security literature and it also lives in our training programs. 

While I do believe that there needs to be some actual consequences for willful and malicious non-compliance with security rules, we also know that fear alone is not a good enough motivator. We see that in many aspects of modern society, not just in cyber security. My fellow researchers and I have conducted numerous experiments that show that building up and emphasizing the positive psychological capabilities of end-users to combat a security threat is significantly more effective than relying on fear and promises of reprisal alone. We have found that end-users are much more likely to adopt new security technologies and practices when they feel: 

1) More capable of taking security actions and working through issues related to the required tasks 

2) More hopeful that their actions are effective

3) More optimistic about their resulting security posture

It’s impossible to eliminate the element of human error, especially when it comes to protection against sophisticated phishing or man-in-the-middle attacks, so what other steps should organizations be taking — outside of training — to ensure they have a comprehensive approach to security?

In my opinion, the best way to minimize the effect of human error (or conscious rebellion) on security practices is to reduce the opportunities to make bad decisions.  This means designing your security mitigations in a way that reduces the cognitive load and choices your end-users have to make.  

A perfect example of this is having your employees use YubiKeys for 2FA or passwordless login. At a time when phishing attacks are virtually undetectable — even to the most well-trained eye — this is exactly the type of technology that you should be using to support your training initiatives. But make sure that the burden of configuring the YubiKeys does not fall all on the end-user and make sure that you are using the right form factor for the employee’s electronic devices.  

Likewise, you don’t want your employees or end-users choosing passwords that are weak or previously compromised. But, don’t put the onus on the end-user to know what that means – do it for them when you are registering accounts or during password changes. Offloading as many volitional security activities as possible from your end-users and limiting the opportunities to deviate from strong security practices should be primary considerations for every security activity.  

Learn more about how the YubiKey can complement your organization’s cyber security training endeavors with a fool-proof 2FA solution proven to eliminate account takeovers from phishing and man-in-the-middle attacks.