“It’s not the end of the world. If something happens, it happens.”

These were comments made by an ‘average technology user’ in research carried out by the National Institute of Standards and Technology (NIST) in the US. They assessed perceptions and beliefs about cybersecurity and online privacy, and identified that people are increasingly desensitized to constant reminders about cyber risks.

“People are increasingly desensitized to reminders about cyber risks.”

The quote highlights the difficulties we face in moving beyond the frustration, weariness and ‘security fatigue’ many of us feel from the bombardment of messages about the dangers lurking online. We’re tired of being told the sky is falling down. But the risk of cyber-attack remains real and relentless – and the reality is that cyber attackers often find it easier to communicate with, engage and influence the behaviours of our staff than we do. So, a new approach is required to engage all of us in making the right decisions at the right time in response to a range of different and changing cyber risks, whether you sit in the boardroom or on the front desk.

“Cyber attackers often find it easier to engage our staff than we do.”

The NIST research found that many of us often feel out of control or resigned to do nothing in regards to online security.

Now take these attitudes into the workplace and organizations are faced with a real dilemma. While many forward-thinking organizations already recognize the need to provide information security training to all staff, how can this be delivered in a way that overcomes the apathy identified in the NIST study? How can we ensure that Information Security training for non-technical staff really engages them to change behaviours and doesn’t just ‘tick the box’? Especially when we know that 90% of all successful cyber-attacks have succeeded through human error.

“We know that 90% of all successful cyber-attacks succeed through human error.”

For me, there are five key lessons for effective Information Security training:

Storytelling



Stories spark emotions. An emotional response can help drive curiosity and action about subjects we previously thought dull and irrelevant. Stories help to explain the complex and the confusing in new, insightful ways. They can help make people care. The most successful marketing campaigns have a compelling story at the centre of them. Stories have the power to communicate consequences and relevance to audiences. We listen to compelling stories and we empathize – we imagine how this could be happening to us or to people and groups we know and care about. Stories can be shared, can inspire and involve.



Combine great storytelling with the delivery techniques we now have at our disposal – games, animations, video, simulations – and we have the ability to make a real difference to the way we change behaviours for the better.



Stories spark emotions. An emotional response can help drive curiosity and action about subjects we previously thought dull and irrelevant. Stories help to explain the complex and the confusing in new, insightful ways. They can help make people care. The most successful marketing campaigns have a compelling story at the centre of them. Stories have the power to communicate consequences and relevance to audiences. We listen to compelling stories and we empathize – we imagine how this could be happening to us or to people and groups we know and care about. Stories can be shared, can inspire and involve. Combine great storytelling with the delivery techniques we now have at our disposal – games, animations, video, simulations – and we have the ability to make a real difference to the way we change behaviours for the better. Leadership



People need to hear from their leaders. Information security is a business risk and leadership teams have a vital responsibility to show their commitment and dedication to leading the way in protecting what’s most precious and valuable to them. The goal is to be able to say “it’s the way we do things around here”. The active and continued involvement of leaders - being seen and heard - in their organizations’ Information Security training will be time well spent. Critically, leaders must also appreciate that they’re far from immune to attack themselves.



People need to hear from their leaders. Information security is a business risk and leadership teams have a vital responsibility to show their commitment and dedication to leading the way in protecting what’s most precious and valuable to them. The goal is to be able to say “it’s the way we do things around here”. The active and continued involvement of leaders - being seen and heard - in their organizations’ Information Security training will be time well spent. Critically, leaders must also appreciate that they’re far from immune to attack themselves. Language



Keep it simple. I’m an ‘average user’ of technology and the majority of our employees fall into the same group. In asking for my support and interest in Information Security you must talk to me in a language I understand. Research in 2016 highlighted that 36% of UK adults said they could not confidently define what a phishing attack is. We need to understand what our target audience does and doesn’t know before deciding how we communicate with them.



“36% of UK adults could not define a phishing attack.”



We have to design and deliver learning that our people can relate to. Using plain English to explain threats like phishing and providing simple, practical guidance is essential.



Keep it simple. I’m an ‘average user’ of technology and the majority of our employees fall into the same group. In asking for my support and interest in Information Security you must talk to me in a language I understand. Research in 2016 highlighted that 36% of UK adults said they could not confidently define what a phishing attack is. We need to understand what our target audience does and doesn’t know before deciding how we communicate with them. “36% of UK adults could not define a phishing attack.” We have to design and deliver learning that our people can relate to. Using plain English to explain threats like phishing and providing simple, practical guidance is essential. Frequency and Timing



Changing behaviours takes time. We need active, engaging online learning that adapts to changing threats delivered on a regular, consistent basis. We have found that refreshers, assessments and competition all work well in keeping our people engaged and interested. Diagnostics also helps to provide choice and options in developing targeted, relevant learning at the right time to the right people. This targeted, drip-drip approach can help prevent ‘security fatigue’ and encourage better decision-making.



Changing behaviours takes time. We need active, engaging online learning that adapts to changing threats delivered on a regular, consistent basis. We have found that refreshers, assessments and competition all work well in keeping our people engaged and interested. Diagnostics also helps to provide choice and options in developing targeted, relevant learning at the right time to the right people. This targeted, drip-drip approach can help prevent ‘security fatigue’ and encourage better decision-making. Culture and Incentives



Develop the right culture. This is one area where I believe we need a real focus. We need a culture from top to bottom that rewards ideas and learns positively from mistakes. I sometimes see working environments that do not encourage or reward people for ‘putting their hand up’ – indeed I’ve often seen those hands being slapped down if anyone admits to making a mistake or suggests an alternative way of doing things.



“We need a culture that rewards ideas and learns positively from mistakes.”

By adopting these key lessons, I see innovative and engaging Information Security training helping organizations to really embed and sustain better behaviours. Our own RESILIA™ Awareness Learning provides first-hand evidence of the power of online learning to embed a more resilient security culture.



Images from AXELOS' RESILIA Awareness Learning

The importance of Health and Safety at work is now widely understood and accepted to help protect organizations and their people. We now need to effect the same change in our approach to Information Security training. Otherwise too many more organizations will be forced to explain why they’ve been breached to the world’s media.

Visit axelos.com/resilia-infosec-conundrum to find out more and request an RESILIA™ Awareness Learning demo.

Read the second post in this series, You don't know how important your reputation is until it's gone.

Read more AXELOS Blog Posts from Nick Wilding

Did you know you were a whale?

Cyber resilience: How important is your reputation? How effective are your people?

21st century cyber awareness for a 21st century threat

A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 2

A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 1

Cyber Resilience: it’s all about behaviours - Digital Leaders Conference presentation

Cyber Resilience: it’s all about behaviour, not bits and bytes

Cyber Resilience: We need to TalkTalk

Cyber Resilience: developing a new language for all

Looking for Business Leaders in the Cyber Resilience Race