Why does security awareness fail?

By Andrew Walls, Gartner Inc.

A small avalanche of data from various sources (including Gartner) confirms what many of us in the cybersecurity world have believed for years: security awareness doesn’t work. I suspect that this will not come as a surprise to anyone who works in security as it is routine for employees to prioritise pretty much anything else over security when a conflict arises.

What is going on here? Why has the steady drumbeat of training and phishing simulations not produced effective cyberjudgement in our employees?

A few issues are obvious to me, some of which might make security people a bit uncomfortable.

1- Cybersecurity professionals are not expert in training design, development, training product selection or implementation. Fundamentally, making the security team responsible for selecting, developing, administering and measuring a training program pushes them into a state of incompetence. Most people in cybersecurity got there by being really good with computers, not by being good with people. The design and administration of effective training is a specialist discipline. Assuming that such expertise is not needed to get good results from training investments is both arrogant and foolhardy.

2- Despite decades of pushing ‘alignment with the business,’ the security team remains alienated and separate from the rest of the enterprise and, the truth is, we like it that way. There are myriad historical reasons for this alienation, but the foundation is that security seeks to limit the flexibility of the enterprise while the enterprise wants to be infinitely agile and responsive to the market. Security assures the predictable operation of systems and processes. Unbridled innovation makes for unpredictable outcomes. This foundational tension leads to frustrations on both sides and, at times, clear condescension, and paternalistic behaviour from all parties. This pops up in our language. Why do we call ‘them’ users? Why do we say people are the weakest link in the security chain? The end result is that we do not have a deep commitment to enabling employees to become competent at security because we do not think they are capable of doing so. As a result, employees consistently rise to our level of expectations and engage in high-risk behaviour. No amount of training will overcome this kind of social alienation.

3- Policies and regulations have mostly defined the frequency of training interventions (e.g.: annual) and not achievement of measurable competence in trainees. We would never tolerate this in a standard or policy for security technology. Any policy that said, ‘you must have a firewall’ and lacked a focus on the functional outcomes expected of a well-managed firewall would be rejected. This sort of policy or regulatory statement implicitly devalues training as a solution to poor security behaviour. If behaviour is important, policy should target measurement and improvement/maintenance of behaviour without specification of how behaviour change and maintenance is achieved. If your internal policy states that everyone must be trained a certain number of times in a year, it is perpetuating the problem.

4- If security is so important to the enterprise, why isn’t it built into every manager’s and employee’s performance metrics? Few managers look for opportunities to take responsibility for the security behaviour of their teams, work processes and infrastructure. They know that this is a difficult area of endeavour and would prefer that that responsibility is allocated somewhere else. The CISO and their team are a convenient repository for these responsibilities even though management of employee and management behaviour is nominally the responsibility of team managers in the business. Somehow the security team is expected to manage the day-to-day behaviour of all employees with or without the support of the management team over those employees. This leads inevitably to conflicts and employees generally do what they are rewarded to do by their manager. Security issues are left for the security team to clean up. Employees are not fools. They recognise that business performance is more important to their personal success than performance against seemingly arbitrary and mostly irrelevant security metrics. As a result, they pay little attention to security awareness training and make little attempt to internalise the messages contained in the training, particularly if those messages conflict with or inhibit their ability to meet their personal performance targets.

Many people recognise these issues with security awareness and are exploring ways to step past these cultural and social challenges to create a truly security-conscious enterprise. Much of this work focuses on creating and maintaining an effective security culture throughout the enterprise. This is a great idea and could be transformative for enterprises; however, culture change is not a plaster you can slap on top of a dysfunctional relationship between the security team and the enterprise. The four issues mentioned in this blog need to be addressed and resolved in order to drive and sustain culture change. This means that the security team itself must change in attitude and behaviour and the executive management team of the enterprise needs to be an active supporter and champion of this change.