What is punitive Security Awareness Training?
Security awareness training (SAT) programs have traditionally taken a tough-love approach. Protecting people from clicking the wrong thing in an email--and thereby opening a Thanos-sized portal to a data breach apocalypse--meant punishing them into compliance.
The SAT approach thus humiliated employees with booby prizes like rubber chickens, punished them with extra training, sentenced them to phishing prison, or even terminated them for failing a phishing simulation. This needs to change.
Why is positive security awareness training more effective than punitive?
Behavioral science and behavior design models like B.J. Fogg's shows that the carrot beats the stick every time. A positive, reward-based cybersecurity training program will build skills and reduce risk even at enterprise scale; the stick just keeps beating the dead horse of low engagement.
Just ask the CSO50 award-winning team at AES. The Fortune 500 energy company boosted engagement from around 10% to 60-70% in a few months when they went with a gamified, reward-based phishing training platform.
The problem with the punitive SAT model is revealed in its KPIs. Phishing simulation failure rates are the be-all-end-all of old-school SAT programs. The idea is to shrink the click rate as low as possible to show that people wouldn't fall for a real attack. Fear of failure is the motivating force.
This is a fundamentally flawed approach. Punitive SAT only issues training when it's cloaked within a reprimand after someone fails a phishing simulation. This means you're only educating a tiny portion of your employees. You're also just making them hate cybersecurity and the team who's forcing it on them.
If people don't feel comfortable with security, they'll be afraid to report a real attack and a bad click. But reporting a suspicious email dramatically speeds up the process of vaporizing it from the system or containing the damage of a click. Speed is essential in incident response.
Focusing on failure, leads to failure.
Rewarding employees for recognizing and reporting phishing simulations--and detecting real phishing attacks--increases their motivation and engagement. More engagement in more training translates to an upskilled employee.
A more security training-engaged workforce experiences behavior change and cultural transformation. And that's the key: behavior change. This expresses itself in not just lower click rates but, more importantly, higher reporting rates, lower dwell time (the time between an attack email landing in an inbox and its being reported), and more real threat detection. Security behavior becomes an orgnizational habit.
Here are the core elements of an engaging, rewarding security behavior change program that reduces human cyber-risk.
- Frequency: phishing simulations are typically sent once per quarter. Simulations must be sent at least once month; Hoxhunt can deliver 36/year, automatically, at varying intervals to keep phishing front-of-mind and build skills.
- Engagement: This is the fundamental training metric to track, not failure. If people are engaged, they are learning about the most recent attacks and what to do when they see one. With an engaged workforce participating with dozens of simulations per year, you have an incredibly powerful insight into your human risk profile.
- Success: Build your phishing training around the behavior that you are trying to monitor, manage, and improve: threat reporting! Reward users with every successful simulated threat report. Leading with success breeds success.
- Real threat detection: Here is where we see the real-world impact of training on reducing human cyber-risk. SAT platforms can't track or reward real threat detection. But a modern Human Risk Management Platform can.
- Content difficulty: one-size-fits-all is code for no one actually learns anything in cybersecurity training. The content needs to be personalized to the individual, and dynamic with the threat landscape. It needs to get harder as the user gets better. You can easily fabricate a low simulation failure rate with overly easy phishing simulations.
- Personalization: The right content for the right employee at the right time. This describes an AI-enabled adaptive learning model that adjusts training to users' needs as they they change over time.
Do punitive SAT programs work?
Punitive SAT programs don't appear to be working. As Ryan Wright and Jason Bennett Thatcher wrote in their Harvard Business Review article, “Phishing Tests Are Necessary. But They Don’t Need to be Evil,” employees view punitive training as unfair, unethical, and unjust. Companies’ focus on awareness training, they concluded, should instead be on empowering employees rather than disenfranchising them.
Otherwise, they said, cybersecurity becomes seen as “agents of harm, which, in turn, evoke feelings of betrayal by the organization.” Most importantly?
One-size-fits-all punitive training results in low employee engagement and poorer outcomes. Security awareness leaders know that reaching employees is key for ongoing awareness and behavior change. More and more CISOs are thus rethinking the negative approach to cybersecurity awareness training and opting for carrots over sticks.
The security team at G2, the world's leading software review site, took the positive approach and described it as "seeing the light."
“We’ve taken that classic traditional methodology of doing security training–where it can be very punitive, and we’re punishing the users for messing up or breaking the rules–and I would say we’ve seen the light,” said Garrett Cook who, along with Michael Barone, built positive experience into the cybersecurity culture at G2. “We’ve seen what’s possible if you make the experience for the user engaging and interesting, and make them a participant and not just a recipient. That really helps with engagement, and it drives trust in the security team, which I think is very important.”
A Jan. 2021 Forrester report, “How To Manage The Human Risk in Cybersecurity,” stressed a hearts-and-minds approach to cybersecurity. In addition to creating a positive experience around cybersecurity training, the Forrester report emphasized behavior change over awareness. Too often, the authors said, security programs dwell on passing awareness tests at the cost of achieving real risk-reducing awareness and behaviors.
“Traditional approaches to security communication are limited to perfunctory one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely effect long-term behavioral change,” states the report.
Traditional training is not just a culture killer but, as indicated by Verizon’s 2021 Data Breach Investigation Report, it also obscures an organization’s true risk of a breach.
"Additionally, real phishing may be even more compelling than simulations. In a sample of 1,148 people who received real and simulated phishes, none of them clicked the simulated phish, but 2.5% clicked the real phishing email.” --DBIR 2021
The DBIR continued:
“Verizon Media believes the simulations and training offered by most security education teams do not mimic real life situations, do not parallel the behaviors that lead to breaches, and are not measured against real attacks the organization receives. This is why it is important to progress from the traditional security awareness model to that of using behavioral science to change the habits that lead to attack path breaking actions.”
To achieve sustainable behavior change the Forrester researchers, meanwhile, recommended building a "human-centric" security program; one designed to make people enthusiastic about their personal cybersafety and that of their employer. Such a human-centric approach includes:
“Unless people feel positive about the topic of security, the capabilities of your team, and you as a leader, you will struggle to get them to truly buy into the need for security,” stated the Forrester report. It continued, “Choosing transformative initiatives that engage hearts and minds ensures that your stakeholders are not only aware of security but understand why it’s important. Without creating a connection, no amount of training will change their behavior for the long term.”
The evolving threat landscape demands an adaptive and engaging training solution people actually like
Verizon’s 2021 Data Breach Investigation Report found that attacks and breaches were climbing across the board, and 85% of breaches involved a human element (other estimates usually put this figure between 90-95%). Of these breaches, phishing was present in 36%, up from 25% the year before.
The DBIR noted that phishing attacks are the fastest attack vector for hackers to compromise a system, be it from following a link to a credential harvesting site, downloading a malware-infested .pdf, or engaging in a business email compromise (BEC) impersonation scam.
People are often not equipped to respond to attacks in an increasingly hazardous threat landscape. Advanced technologies like AI, along with organized and state-sponsored cybercrime, are accelerating changes in the threat landscape, as MIT Technology Review reported in “An innovation war: Cybersecurity vs. cybercrime.” AI and deepfake technologies, for instance, are making attack emails increasingly indistinguishable from legitimate communications.
Meanwhile, business is booming for cybercrime-as-a-service; easily downloadable phishing kits are democratizing email attacks by matching technical sophistication with the criminal intent of anyone, anywhere.
Moreover, the DBIR reported a doubling of breach incidents in 2021 via ransomware, 23% of which come by email and 30% by credential compromise. Ransomware became infamous in the May, 2021 Colonial pipeline attack by the organized cybercrime gang, DarkSide—described by the New York Times in May 2021 as embodying the new ‘ransomware as a service’ illicit business model.
The New Yorker, meanwhile, described in May, 2021 the explosion of the global ransomware economy as an outgrowth of organized kidnapping-for-ransom schemes. This all points to a mushrooming threat landscape fertilized with bitcoin. Awareness training needs to adapt, lest more people get snagged by newer, scarier cyber scams.
Positive cybersecurity culture and the human firewall
No security filter will ever stop every phishing email from slipping through to employee inboxes. Petri Kuivala, former CISO of Nokia and NXP, told us that the sheer volume of attacks on large corporations meant thousands of email attacks still landed in employee inboxes daily even after 99.99% of attacks had been caught by the technical layer. At that point, it’s up to people to respond correctly.
But it’s up to the information security team to empower people with knowledge and reporting tools. According to the Forrester report, that means rebranding the infosec team’s image as enablers in order to affect widespread culture change.
“The biggest obstacle to security leaders’ efforts today is the image of security itself. The nonsecurity workforce sees the security team as hoodie-wearing basement-dwellers and punishers who enforce policies that make everyone else’s workday more difficult — so it’s no surprise that security policies and initiatives meet resistance. Organizations must rebrand security as a business enabler instead of a business nuisance so that employees are more receptive to security policies and can protect their business, themselves, and their families."
Positive experience, engagement, and habit change
The best way to break bad habits is to replace the bad behavior with good ones. With smokers, it can be about replacing cigarettes with chewing gum and exercise. And in the cybersecurity context, it’s about hitting the report button instead of clicking a dangerous link.
But to make threat reporting a habit, users must be nurtured along a positive, individual learning path. Writing in CEO World, George Finney, Chief Security Officer at Southern Methodist University and author of “Well Aware,” urged business leaders to not only know what and where their crown jewels are, but to recognize that their employees are the crown that holds those jewels.
“I did hundreds of interviews with CEOs, lawyers, accountants, and other executives to find successful leaders who’ve made a difference in cybersecurity so that we can follow their examples,” wrote Finney. “And what I found was that you don’t need to be a cyber expert to make a difference in security. The best organizations when it comes to cybersecurity are the ones that don’t use fear to enforce their culture. The ones that were most successful used positive messages and had empathy for their employees, which helped everyone make a difference.”
Building positive experience into cybersecurity culture
For Garrett Cook and Michael Barone, the cybersecurity architects at G2, it came down to practicing security as their cultural values preached: with positive user experience. The IT veterans had needed to stay nimble and work fast to construct the security systems of G2 throughout its rocket-propelled growth.
But in 2020, with the perimeter installed, they began seeing the cultural dimension of security with greater clarity. Being at G2, where positive experience is in the corporate DNA, they turned their own company’s values and software selection wizardry around on themselves to find a new solution.
“When you work in security, you hear all the time that your users are your weakest link,” said Garrett. “But as an infosec leader, if you can make what you do more engaging, more fun, more interesting, they’re more likely to trust us. They’re more likely to respect the requirements… Users are more willing to reach out, ask questions, report suspicious things. Because, frankly, if they’re afraid of you, or they don’t trust you, they’re not going to say anything. And our eyes are not everywhere. We can’t predict– we can’t protect—everything.”
Michael agreed, adding how engagement has increased dramatically since the adoption of Hoxhunt and related reward-based security initiatives. Organizational buy-in has helped elevate the security team’s position at G2.
“We get a lot more positive feedback. Now we get people coming forward and saying, ‘Hey, this is great, we’re engaged, we really enjoy interacting with the tool that you guys are using.’ And it just elevates (and) makes us a little bit more important and it gets more eyes on the importance of information security as a whole.”
If training is not engaging, be it because the material is too hard or too easy or too dry or too irrelevant, it’s effectively reproducing the bla-bla-bla, wah-wah-wah experience of the classroom teacher in the Peanuts cartoons. As Kevin DeLange, CISO of IGT gaming technologies told us, people need to be challenged with real world scenarios all the time in order to build awareness.
But it must be done in a positive way, which encourages their participation. For him, a positive experience built on gamification has been a game-changer.
“Not everybody learns the same way,” he said. “Some people are visual learners, some people are textual learners. You can’t have a comprehensive solution without factoring in different approaches to this. That’s really what I’ve tried to do is to incorporate all those elements to prepare and arm our employees with the right mindset for awareness.”He continued:“I always, for better or worse, fall back on the carrot and stick analogy. You want to make this as positive an interaction with the employee as you possibly can. But if an employee fails a test, the fact that Hoxhunt offers that immediate feedback and microtrainings, I think that is a relatively painless stick… Within our company, at least with executive management, I have had really high marks and good feedback from them on the gamification aspect of the Hoxhunt training, which I never would have predicted before.”
Out with the old, in with the new
Petri Kuivala was a visionary of the positive, gamified approach to cybersecurity awareness training. Too often, he said, information security leaders feared new approaches because they’d be exposed to blame for failure. But those who have braved the change have seen highly positive results.
“We haven’t identified any risks of shifting the way we do things to a positive experience approach,” said Garrett Cook. “Frankly, I only see it as pure upside. It really encourages the users to participate, and we’ve seen really strong engagement. Because, frankly, my opinion is there’s no bigger disincentive to participation than if that threat of punishment is always looming over your head. No one’s like… ‘Okay, well, you failed three trainings in the past year and now you’re fired.’ I think that’s just the wrong mindset to have about these sorts of things…I think the only thing that I wish we would have done differently is that we would have done this sooner.”
Read more about cybersecurity training
- The Best Attack Simulations For Your Cybersecurity Training
- A guide to effective phishing training
- Gamification in security awareness training
- The CISO’s Russian Roulette: Not Training Remote Employees
- The Risk Of New Employees And How Security Teams Can Tackle It
- Attackers Personalize Phishing – How About Your Training?
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt