Previously, I’ve written on the importance of understanding cybersecurity as an organization-wide process. Cybersecurity awareness professionals are critically aware, to improve the security posture of an organization one must involve many stakeholders, e.g., management, HR, IT, legal, and compliance. Higher education is making important strides in improving cybersecurity readiness, but much is yet to be done (as I mentioned here).
A recently published paper by the University of Edinburgh offers insights into how security awareness is managed at higher education institutions1Pilavakis, N., Jenkins, A., Kökciyan, N., & Vaniea, K. (2023, February). “I didn’t click”: What users say when reporting phishing. In Symposium on Usable Security and Privacy (USEC) 2023 (pp. 1-13). The Internet Society.. It provides rich insights and a great opportunity to discuss important concepts for building a sustainable security culture. The authors analyze 270 help desk phishing tickets collected over the course of nine months to understand how users engage with phishing emails, and crucially, when and how they report them.
Basics of Security Awareness and Behavior
Security Awareness programs aim to empower people to make better security decisions. They address the human factor in security through a range of methods, tools, and processes that are geared toward supporting humans. Well-thought programs acknowledge that erring is human, and that we are all but perfectly functioning decision-making machines. Although, the human brain is now better understood by neuroscientists than ever, we are far from fully understanding the intricate processes of human decision-making. A solid foundational understanding, however, acknowledges personal characteristics such as skills, knowledge, and attitude as well as environmental factors such as social norms and expectations. Behavior is subject to these influences.
Security awareness professionals do well in managing the expectations and emotions of all people attending, because the factors influence behavior. The behavioral scientist BJ Fogg lists three elements that must converge for behavior to occur: motivation, ability, and a prompt. A difficult task therefore requires a higher degree of motivation and a good prompt. An easier task can be carried out with a lesser degree of motivation and an appropriate prompt. It is also important to realize that motivation is influenced by emotion. If we feel good about a certain behavior, we are more likely to repeat that behavior. The emotion increases our intrinsic motivation.
Note: The influence of emotion on behavior is well-studied across different fields. Beyond the scope of the research paper at hand, Social Cognitive Theory, the Theory of Planned Behavior, and further theories from psychology, behavioral economics, and information systems share a notion of emotional, normative, and/or moral influence on decision-making.
Key Insights into Security Awareness at Higher Education
Building habits of reporting
The study reveals the use of reporting channels to engage with the security team. Employees provide evidence and observations, sometimes even elaborating on potential impacts. Some take a report as a knowledge test, stating why they think reporting is important.
Both, engagement and communication, are essential elements of a well-rounded awareness program. Security awareness professionals must always keep communication channels open to engage with users. The reports show a great interest and desire to provide the information security team with data, evidence of a growing security culture.
Shaping a culture of learning
The research and theory behind the concept of self-efficacy tells us that a positive learning environment is crucial to motivating and facilitating behavior. Establishing a culture of practicing, failing, and learning is a key element to continuous improvement. Without it fear and doubt might dominate an emotional landscape that leads to in-action, a lack of engagement, and, worst case, to working around security policies and tools.
This is evident in the participants’ behavior reported in the paper. Employees do not want to be seen as paranoid and tailor their language when reporting emails accordingly – worst-case users might avoid reporting altogether. To foster a positive environment, employees should be encouraged through feedback and reports. Positive feedback increases self-efficacy. Mechanisms to provide positive feedback must be integrated with reporting processes.
Providing contextual and timely feedback
Another critical point raised by the researchers is the efficacy of phishing simulations. If not implemented thoughtfully, the lack of contextual feedback can hinder rather than help to build self-efficacy. When failing a test, it must be revealed to employees which red flags and other signs they have missed. Equally, when a phishing simulation is reported correctly, there should be a mechanism that provides users with feedback on whether they have spotted all red flags and understood their significance. This is crucial, as the authors remark, also to leverage an employee’s unique contextual understanding of their inbox, i.e. the knowledge of when to expect which email by whom and in what style.
The researchers make further suggestions that are essential to facilitate learning. Phishing simulations should encourage user reporting to foster a culture of engagement. This goes along with an IT security teams ability to process a large amount of reported phishing emails that are malicious and simulated. Thousands of emails must be processed per day.
Chances for Computer-Based Security Awareness Training
These key insights provide for thoughtful recommendations to improve security awareness programs.
- Encouraging phishing reporting – Reporting phish is a learning opportunity. Organizations ought to use reports as a conversation starter, providing feedback and advice. Users should not hesitate to report any email. Tools allow information security teams to stay on top of thousands of reported suspicious emails by leveraging Machine Learning and automation. The flood of alleged and real phishing email will not be a challenge for the information security team. Of course, it would be great to share intelligence gathered this way with a larger number of customers.
- Increase engagement and trust through individual reporting – Chat bots are one method to increase individualized interaction at scale. Organizations increase trust in their security by providing individualized feedback and avoiding judgmental language. Large-Language-Models and other AI tools and technique can help provide personalized interactions but also make reports more digestible.
- Reassuring users – The very least users must get a confirmation that their report was successful. Ideally, this would involve a brief, personalized interaction such that open questions could be addressed. A more interactive communication is a possible next step, one that also allows users to talk openly and freely about their observations.
The Need for Emotional Safety and Empathy
An emotional component of their security awareness program was lacking, found the researchers. This means there is a need for emotional safety and empathy to create a save space for learning and development. Where this is lacking, users are particularly vulnerable to deceptions and exploits of attackers, that play at emotional insecurity.
I could not agree more. We frequently observe that environments in which employees actively and openly discuss issues of social engineering and phishing are less vulnerable to cybersecurity threats. A good security culture is also characterized by an environment in which people can find help to reflect on their motivations behind clicking on phishing email. Proactive engagement with security awareness programs is a sign of a good security culture, and this culture is necessary to sustain efforts in reducing the risk of human behavior being party to a successful cyberattack.
Organizations do well in positioning trust, transparency, and accountability as the north stars of their security awareness programs. These create an environment in which people can exercise compassion towards themselves and towards others. Moments of introspection and reflection help understand one own biases and triggers and contribute to increasing the security posture of an organization.
- 1Pilavakis, N., Jenkins, A., Kökciyan, N., & Vaniea, K. (2023, February). “I didn’t click”: What users say when reporting phishing. In Symposium on Usable Security and Privacy (USEC) 2023 (pp. 1-13). The Internet Society.