MISA Ontario 2020: Raise cyber awareness by targeted training, expert says

With human error being a leading cause of data breaches, organizations are putting more emphasis than ever on security awareness training.

But Canadian municipal infosec leaders were warned Tuesday that scaring employees into obedience won’t work.

In fact, argued James Norrie, CEO of CyberconIQ, a Pennsylvania-based threat awareness learning platform, CISOs need to understand human nature and the things that trigger the seemingly irresistible urge to click on a link or open that attachment.

“You have to make it OK to be vulnerable around cybersecurity in your organization,” he told the annual security conference of the Ontario wing of the Municipal Information Systems Association (MISA), being held this year online.

“To do that, you don’t want to sling fear and the fear of consequences,” he said in the keynote address. Phishing tests aim to catch people doing something wrong, he argued, which doesn’t help the mindset of staff. “So instead of reporting failure rates, report pass rates and talk about how you’re going to use this (training) to bolster people’s understanding of cybersecurity as a team sport.”

Most organizations have technology that will catch up to 92 per cent of cyber threats, he said. Of the remaining eight per cent or so, no amount of technology will improve that. But if employees can be taught to not execute on the attack, “then you can’t be compromised.”

Norrie, who also teaches cybersecurity at York College in Pennsylvania, argues awareness training has to be customized to employees rather than be generic. People can be broken down into four types, he said:

  • “Risk Breakers,” who are happy following rules. But that makes them vulnerable to what Norrie called “deep fake” attacks seemingly from someone in authority who asks them to break the rules, like change the bank account money is sent to. Fortunately, because much of generic awareness training involves following a set of rules, they are the easiest group to train. Broadly they represent 38 to 40 per cent of employees;
  • “Risk-Takers,” who represent 12 to 15 per cent of employees, want to comply with company rules but are more risk-tolerant and will make selective exceptions to rules. They may be vulnerable to cons involving fake “emergency or urgency” pleas;
  • “Risk Shakers,” who like the freedom of choosing when to break the rules;
  • “Risk Makers,” who trust their judgment, so rule-based training doesn’t work as well for them. They are likely to be fooled by what Norrie called “affiliated attacks,” such as from fake people on LinkedIn.

An effective awareness program will be tailored to offer specific training to these groups explaining why they are vulnerable to certain threats, Norrie said, by showing the context of a vulnerability. What it doesn’t involve, he stressed, is knowledge about technology.



Tips to improve awareness training


Infosec pros enjoy the challenges of technology because it’s largely controllable, predictable and outcomes can be predicted, he said. However, he added, they need to understand human factors are much less predictable.

The COVID pandemic and the increase in staff working from home has made this work, Norrie argued. When working in the office staff may be more cyber-aware than when working from home, with all its distractions.

“The entire public sector needs to be aware that everything they do has to reduce the probability of a successful cyberattack, reduce the total cost of a successful attack when it occurs” including everything from having cyber-secure policies and an incident response plan to cyber insurance. The goal is to build a cyber aware culture. “We have to make good cyber behaviour as natural as ‘Look both ways before we cross the street.'”

But CISOs “have to stop slinging fear,” Norrie maintained.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now