With human error being a leading cause of data breaches, organizations are putting more emphasis than ever on security awareness training.
But Canadian municipal infosec leaders were warned Tuesday that scaring employees into obedience won’t work.
In fact, argued James Norrie, CEO of CyberconIQ, a Pennsylvania-based threat awareness learning platform, CISOs need to understand human nature and the things that trigger the seemingly irresistible urge to click on a link or open that attachment.
“You have to make it OK to be vulnerable around cybersecurity in your organization,” he told the annual security conference of the Ontario wing of the Municipal Information Systems Association (MISA), being held this year online.
“To do that, you don’t want to sling fear and the fear of consequences,” he said in the keynote address. Phishing tests aim to catch people doing something wrong, he argued, which doesn’t help the mindset of staff. “So instead of reporting failure rates, report pass rates and talk about how you’re going to use this (training) to bolster people’s understanding of cybersecurity as a team sport.”
Most organizations have technology that will catch up to 92 per cent of cyber threats, he said. Of the remaining eight per cent or so, no amount of technology will improve that. But if employees can be taught to not execute on the attack, “then you can’t be compromised.”
Norrie, who also teaches cybersecurity at York College in Pennsylvania, argues awareness training has to be customized to employees rather than be generic. People can be broken down into four types, he said:
- “Risk Breakers,” who are happy following rules. But that makes them vulnerable to what Norrie called “deep fake” attacks seemingly from someone in authority who asks them to break the rules, like change the bank account money is sent to. Fortunately, because much of generic awareness training involves following a set of rules, they are the easiest group to train. Broadly they represent 38 to 40 per cent of employees;
- “Risk-Takers,” who represent 12 to 15 per cent of employees, want to comply with company rules but are more risk-tolerant and will make selective exceptions to rules. They may be vulnerable to cons involving fake “emergency or urgency” pleas;
- “Risk Shakers,” who like the freedom of choosing when to break the rules;
- “Risk Makers,” who trust their judgment, so rule-based training doesn’t work as well for them. They are likely to be fooled by what Norrie called “affiliated attacks,” such as from fake people on LinkedIn.
An effective awareness program will be tailored to offer specific training to these groups explaining why they are vulnerable to certain threats, Norrie said, by showing the context of a vulnerability. What it doesn’t involve, he stressed, is knowledge about technology.
Infosec pros enjoy the challenges of technology because it’s largely controllable, predictable and outcomes can be predicted, he said. However, he added, they need to understand human factors are much less predictable.
The COVID pandemic and the increase in staff working from home has made this work, Norrie argued. When working in the office staff may be more cyber-aware than when working from home, with all its distractions.
“The entire public sector needs to be aware that everything they do has to reduce the probability of a successful cyberattack, reduce the total cost of a successful attack when it occurs” including everything from having cyber-secure policies and an incident response plan to cyber insurance. The goal is to build a cyber aware culture. “We have to make good cyber behaviour as natural as ‘Look both ways before we cross the street.'”
But CISOs “have to stop slinging fear,” Norrie maintained.