To borrow a line from social scientists, “abundant research shows that people who are simply given more information are unlikely to change their beliefs or behavior.” And yet, here we are again, another Cybersecurity Awareness Month: the industry’s Hallmark holiday that promotes spending on cybersecurity training videos, phishing simulators, and free lunches to feed employees a smorgasbord of security education, training, and awareness.
Awareness Isn’t the Issue
But employees are already aware of cybersecurity. Whether it’s the obligatory training they suffer through, the fake phishing traps we send, the steady drip of cyberattacks making headlines, or the family member who was recently scammed online, cybersecurity awareness has never been greater. And yet, it’s made little difference in reducing the volume of successful cyberattacks involving the human element.
It’s time to shift our collective efforts from awareness to actual behaviors. Instead of a month-long campaign, we should focus on creating real-world opportunities for employees to build and flex their cyber judgment muscle memory all year long.
Consider the 15-year-old pursuing that coveted freedom of a driver’s license. With an outsized motivation to learn, they start in a classroom, absorbing everything they possibly can about driving, observing adults driving, and passing a written test to obtain a permit. But, that first time behind the wheel, a new learning curve begins — one with higher, real-world stakes. It ultimately takes months of practice, driving in all sorts of conditions, to prepare someone to drive safely on their own.
Why assume cybersecurity is any different?
Training Isn’t the Answer
The universal approach to addressing the human element of cybersecurity has been to “train” employees to deal with whatever threat du jour occupies our attention. Training is preventative, theoretical, and out of context: a memo, a webinar, a campy click-through video with a quiz — all in hopes that an employee will remember exactly what they are supposed to do should a similar situation arise in some unknown future. This is not how we learn in any other context, but for some reason, we continue to pursue this failed approach in cybersecurity. Why? To check a box in a compliance audit?
To create true, lasting security behavior change, we must put our employees behind the wheel on the open Internet superhighway. This seems hard and scary, I know. But it doesn’t have to be. Small, simple changes in how we engage employees and intervene with cybersecurity information can have an outsized impact.
For example, instead of arbitrarily “training” employees in October to use multifactor authentication (MFA) on all of their accounts and hoping they’ll remember to do so when they sign up for a new generative AI tool in July, that message should arrive at the moment they create a new account, while they’re in the right context. With additional bits of information, such as the benefits of using MFA or preempting questions or doubts, we can further encourage the desired behavior and thus, desired security outcomes.
It’s Time to Take the Next Step
We have reached a collective fever pitch of cybersecurity awareness. We don’t need more of the same this month. It’s time to take the next step toward implementing repeatable, real-world practice that ingrains positive habits and security behaviors. By leveraging our modern understanding of neuropsychology and behavioral science, lessons learned from other industries and disciplines, and emerging human-centered cybersecurity technologies, we can make cybersecurity understanding a reality today and every day.