It’s time to shift the mindset of cybersecurity awareness and challenge the traditional fear-based approach to training people. That was the message from a recent webinar that BH Consulting founder and CEO Brian Honan delivered for Géant, which provides networks and services to the research and education sector in Europe.

In the webinar, Brian talked about moving ‘beyond fear’ to develop new awareness models that empower users, as this leads to more sustainable and effective cybersecurity behaviour. Géant has published the full video of the webinar on its YouTube channel which is free to watch, and this blog sums up the main talking points from Brian’s presentation.

Brian referred to the Verizon Data Breach Investigations Report that’s considered a leading source of information for the security community. A common thread through all the years of the report has been the human element in cybersecurity incidents. “Over two-thirds of all breaches were down to some element of human interaction,” Brian said.

Moving beyond the fear factor

Part of the problem is how the industry has traditionally talked about, and taught, cybersecurity awareness. Brian said fear tactics, and commands like ‘don’t do this’ have been common. A classic piece of security advice is to tell people: don’t click on links or attachments in emails that they’re not expecting. Brian pointed out that this is impractical: by definition, many jobs – like someone working in human resources who processes CVs – involve clicking on links and attachments. Others might need to share information with partners or suppliers, which can often involve transferring large files with file sharing websites. Sometimes that will involve working with colleagues or collaborators that people aren’t expecting to hear from.

A theme of Brian’s talk was the need for security professionals to focus on people. That means:

• developing awareness programmes with their needs in mind
• using language that enlightens rather than intimidates
• building positive relationships and trust.

A focus on people

Cybersecurity and IT professionals can sometimes focus on the data, the computers, and the networks, but not the people behind all that. “Very often, the data we’re protecting is data belonging to individuals. We need to refocus our thoughts on the people. Cybercrime can have real-world impact on individuals,” Brian said.

“We have to make sure people are trained properly in the system they’re using, but that we have to put safeguards in place if they do make mistakes.”

Careful choice of language

One area where security professionals can improve their training is in the language they use. Too often, jargon and technical terms only serve to confuse a non-technical audience. Phishing has opened the door to smishing (phishing via SMS text message), vishing (video) and quishing (QR codes). Brian remembered a conversation with his father years ago who asked him to explain what phishing meant. After he did so, the response was beautifully simple. “Oh. You mean a scam.”

“Simple language can get a message across much better than ‘phishing’ or ‘vishing’,” Brian said. “We need to take a step back and try and stop using language that makes everything sound overly complicated, overly scary. Let’s tone the language down and make it understandable… people understand simple language like crime, criminals, and scam. We don’t need to reinvent language to communicate.”

That also extends to terms like “users”. Brian said that teams developing security awareness and training programmes should think of them as colleagues and refer to them using that language.

How not to do phishing training

Phishing training is often seen as a way to measure cybersecurity knowledge in an organisation, by sending a fake email to see if people would respond to it or not. But Brian said sometimes IT teams or security teams have devised phishing training to catch people out, instead of educating them about what to do. Indeed, Brian highlighted that the primary reason security people should use simulated phishing tests is to test how effective the organisation’s email security controls are rather than whether people click on the link. The key metric in simulated phishing tests should not be how many people fell victim to the email but how many people recognised the phishing email and reported it.

He gave some examples of poor training scenarios, including a prominent Irish law firm that sent fake phishing emails to staff during Covid-19. The email was created to look like it was from the Health Service Executive (the Irish national health service), warning the recipient they were a close contact of a confirmed case. Many people working at the firm thought the message was legitimate. This was the wrong approach given the heightened anxiety many people felt during the pandemic, Brian argued. Security teams that seem to want to fool their co-workers or make fun of them are doing their colleagues a disservice. “That’s not going to engender an environment of trust,” he warned.

Scare no more

Scaring people isn’t an effective tactic because it doesn’t take account of people’s emotional states. Brian referred to a survey of 1,200 Britons which found that 62 per cent felt traumatised after experiencing cybercrime.

“Think of someone in your organisation who fell victim to social engineering that led to a breach,” Brian urged. “Be conscious that we are dealing with people… who experience shame, embarrassment, feel ongoing anxiety in using online services… Yet what do we try and do in IT? We try and scare them over again using simulated phishing email. In my opinion, this is like trying to teach someone who’s been mugged and had their money stolen by jumping out in the hallway at them and beating them up and saying ‘now don’t do that again’.”

Rather than punishing risky actions that could affect the organisation’s security, Brian encouraged using positive slogans and humour to influence good behaviour. A road sign to encourage reduced speeds had the tagline: ‘Drive slow and see our city; drive fast and see our jail’.

If the training makes people believe the organisation is at risk if they mistakenly click a link, that’s unfair, Brian argued. He believes it’s wrong to put pressure on people by talking about them as the last line of defence, or the weakest link. “People are busy they’re busy doing their own job, in accounts or in education or whatever. Their job is not to be a cybersecurity expert, so we do need to take that in mind.”

Driving better security behaviour

Brian drew an analogy with the car industry which developed safety features over years to protect occupants in accidents. He said there’s a need to work with technical teams to re-engineer corporate networks to be more secure and to be more resilient from threats. “We need to focus mindsets to come with a solution to make our systems and those who are using them more secure and safer because it shouldn’t take somebody clicking on a mouse to bring a network down. We need to provide infrastructure that is resilient and robust enough that can survive a catastrophe – or someone clicking a link.”

When a phishing email lands in someone’s inbox, that’s not a sign that the awareness training hasn’t worked. “It’s raising questions to me that: how did it bypass all the filters and all the security measures we have in place?”

When developing training programmes, Brian encouraged using videos that show people how to hover over links to determine if they’re legitimate. Another source of inspiration in creating awareness campaigns is the EU’s cybersecurity agency ENISA, which has free resources to use.

When people know how to protect data at work, and are taught how to spot likely scams, it helps prevent security incidents and stops confidential or sensitive data from falling into the wrong hands. Brian believes nurturing a culture of security awareness is some of the best return on investment in cybersecurity that a business can make.