toplogo
Sign In

Organizational Security Awareness: Deconstructing Drivers, Goals, and Challenges Faced by Security Awareness Managers


Core Concepts
Security awareness activities in organizations are driven by a range of factors beyond just improving employee security behaviors, including regulatory compliance, organizational politics, and resource constraints. Security awareness managers struggle to define success and often focus on employee engagement rather than measurable security improvements.
Abstract
The study explores the perspectives and experiences of 15 security awareness managers (SAMs) from large European organizations. Key findings include: Security awareness activities are diverse, including e-learning, phishing simulations, in-person events, and communication campaigns. The selection of topics and approaches is influenced by organizational policies, technical teams, regulators, and vendors. The primary goals of security awareness, as perceived by the SAMs, are to increase employee engagement and visibility of security, rather than directly improving security behaviors. Success is measured by metrics like training completion rates and positive feedback, rather than changes in actual security practices. SAMs face challenges in aligning their work with the expectations of technical security teams, who may override awareness strategies. There is also a tension between making security training mandatory to increase engagement, and avoiding excessive burden on employees. Some SAMs, particularly those in the UK, are starting to advocate for a more user-centric approach that focuses on improving security usability and processes, rather than just training employees. Overall, the study highlights the complex, multifaceted nature of security awareness management in organizations, and the need for a more holistic, employee-centered approach.
Stats
"What keeps people secure will absolutely not be the cybersecurity awareness training they had to do on onboarding. What it will be is the fact that during that onboarding they met the cybersecurity team or somebody from it, or they had an onboarding before they were even in the company they were maybe taken through." - [P11] "If I did a workshop on phishing, nobody will come. But if I want to do workshops on dating app security, using Grindr safely, you know, how to send nude photos correct, [...] they love it, you know." - [P11] "Sometimes there is a campaign that just doesn't succeed. So we did spear phishing, we were too secure. So the emails didn't get in, my people were already too aware. [...] we paid so much money [for the campaign]." - [P4]
Quotes
"What keeps people secure is that they met the security team." - [P11] "If I did a workshop on phishing, nobody will come. But if I want to do workshops on dating app security, using Grindr safely, you know, how to send nude photos correct, [...] they love it, you know." - [P11] "Sometimes there is a campaign that just doesn't succeed. So we did spear phishing, we were too secure. So the emails didn't get in, my people were already too aware. [...] we paid so much money [for the campaign]." - [P4]

Deeper Inquiries

How can security awareness managers better align their goals and metrics with improving actual security behaviors, rather than just employee engagement?

To better align their goals and metrics with improving actual security behaviors, security awareness managers can take the following steps: Focus on Behavior Change: Instead of solely measuring engagement metrics like click-through rates or training completion, SAMs should prioritize measuring actual changes in security behaviors. This can be done through targeted assessments, simulations, and monitoring of employees' adherence to security protocols. Tailored Training: Develop customized training programs that address specific security risks and behaviors relevant to different employee roles. By tailoring training to the needs of different departments or job functions, SAMs can ensure that the training is more effective in influencing behavior. Continuous Evaluation: Implement regular evaluations and assessments to track the effectiveness of security awareness initiatives in driving behavior change. This can involve conducting follow-up assessments, surveys, or simulations to measure the impact of training on actual security practices. Collaboration with Technical Teams: Work closely with technical security teams to align security awareness initiatives with technical controls and protocols. By integrating security awareness with technical security measures, SAMs can create a more comprehensive approach to improving security behaviors. Use Behavioral Science Principles: Incorporate behavioral science principles into security awareness programs to better understand and influence employee behavior. By leveraging insights from psychology and behavioral economics, SAMs can design interventions that are more likely to drive lasting behavior change.

How can security awareness managers work more effectively with technical security teams to develop holistic, user-centric security approaches that address both technical and human factors?

To work more effectively with technical security teams and develop holistic, user-centric security approaches, security awareness managers can: Establish Clear Communication Channels: Foster open communication channels between security awareness teams and technical security teams to ensure alignment on goals, strategies, and initiatives. Regular meetings, collaboration platforms, and shared documentation can facilitate effective communication. Collaborative Planning: Involve technical security teams in the planning and development of security awareness initiatives to ensure that they align with technical controls and security protocols. By working together from the outset, SAMs and technical teams can create a more integrated approach to security. Cross-Training and Knowledge Sharing: Encourage cross-training and knowledge sharing between security awareness and technical teams to build a mutual understanding of each other's roles, challenges, and priorities. This can help bridge the gap between technical and human factors in security. User-Centric Design: Incorporate user-centric design principles into security awareness programs, taking into account the needs, preferences, and behaviors of end-users. By designing interventions that are user-friendly and engaging, SAMs can increase the effectiveness of security training and awareness initiatives. Data-Driven Decision Making: Utilize data and metrics to inform decision-making and measure the impact of security awareness efforts on both technical and human factors. By analyzing data on security incidents, training completion rates, and behavior changes, SAMs can identify areas for improvement and optimization.

What are the potential downsides of making security training mandatory, and how can organizations balance the need for security awareness with minimizing burden on employees?

Making security training mandatory can have both benefits and downsides. Some potential downsides include: Resistance and Resentment: Mandatory training may lead to resistance and resentment among employees who perceive it as a burden or an intrusion on their time. This can result in disengagement and a lack of receptiveness to the training content. Compliance Over Understanding: Employees may go through the motions of completing mandatory training without fully understanding the security concepts or internalizing the importance of secure behaviors. This can lead to superficial compliance rather than meaningful behavior change. One-Size-Fits-All Approach: Mandatory training programs may adopt a one-size-fits-all approach that does not account for the diverse learning styles, preferences, and job roles of employees. This can result in training that is not effectively tailored to the needs of different groups within the organization. To balance the need for security awareness with minimizing burden on employees, organizations can: Offer Flexible Training Options: Provide employees with flexible training options, such as self-paced modules, interactive workshops, or gamified learning experiences. This allows employees to engage with the training in a way that suits their preferences and schedules. Targeted Training for Relevant Roles: Tailor training programs to the specific roles and responsibilities of employees, focusing on the security risks and behaviors most relevant to their job functions. This ensures that training is practical, engaging, and directly applicable to their daily tasks. Continuous Reinforcement: Implement a strategy of continuous reinforcement and follow-up to ensure that security awareness is an ongoing process rather than a one-time event. This can include regular reminders, updates, and refresher courses to reinforce key security principles. Engagement and Communication: Foster a culture of security awareness through ongoing communication, engagement, and recognition of employees' efforts to prioritize security. Encouraging open dialogue, feedback, and participation can help create a positive and supportive environment for security awareness.
0
visual_icon
generate_icon
translate_icon
scholar_search_icon
star