Cyber security continues to remain a priority for firms of all sizes and complexities. Raising awareness about cyber threats and best practices has been a common approach to mitigating cyber-attacks, it is time to acknowledge that mere awareness is insufficient. In this blog, we will explore why awareness of cyber security is not effective and argue that measuring behavioural change while fostering a proactive cyber security culture within an organisation is key.

The Limitations of Cyber Security Awareness 

Passive Understanding  

Cyber security awareness campaigns primarily focus on providing information about potential risks and preventive measures. However, awareness alone does not guarantee that individuals will remember and act upon the knowledge transferred in these campaigns. People may understand the importance of strong passwords or the risk of phishing attacks, but this knowledge often remains passive, lacking the necessary behavioural change.

False Sense of Security  

Raising awareness without fostering a proactive culture can create a false sense of security. Employees may believe that they are adequately protected simply because they possess some knowledge of cyber threats. Unfortunately, this misconception can lead to complacency and an underestimation of potential risks.

Insufficient Engagement  

Traditional awareness campaigns tend to be one-off events, such as seminars or training sessions, with limited follow-up or reinforcement. These programs often fail to engage individuals on an ongoing basis, leaving them ill-prepared to deal with new and emerging threats.

Lack of Personalisation  

Generalised awareness campaigns may not address the specific needs and challenges faced by individuals within an organisation. Cyber security threats can vary greatly, and tailored approaches are necessary to ensure that employees have the relevant knowledge and skills to tackle these threats effectively.

Measuring Behavioural Change: A Shift in Focus 

Action-Oriented Approach 

Instead of solely relying on awareness metrics, organisations should adopt an action-oriented approach that emphasises behavioural change. It is crucial to encourage employees to translate their knowledge into tangible actions, such as using strong passwords, reporting suspicious activities promptly and use of Multi Factor Authentication.

Continuous Training and Reinforcement  

To foster a proactive cyber security culture, organisations must provide ongoing training and reinforcement. This can include regular workshops, simulated phishing exercises, and interactive learning platforms that promote continuous learning and skill development. By regularly engaging employees, organisations can ensure that cyber security practices remain at the forefront of their minds.

Metrics for Behavioural Change 

Measuring behavioural change is essential for assessing the effectiveness of cyber security initiatives. Organisations can track metrics such as the percentage of employees reporting phishing emails, reporting of cyber events or incidents and other metrics including challenging staff not properly displaying the correct ID. Identifying the correct metrics can to measure behaviours is a real challenge that all firms struggle with. The key point here is that measuring behaviour is measuring positive (or negative!) interaction, whilst measuring awareness does not result in guaranteed interaction.

Employee Incentives and Recognition 

Recognising and rewarding employees who consistently exhibit good cyber security practices can significantly contribute to fostering a proactive culture. Incentives can range from acknowledgment in company newsletters to financial rewards or additional training opportunities. By highlighting exemplary behaviour, organisations reinforce the value placed on cyber security and motivate employees to actively participate in maintaining a secure environment. It may be tempting to punish poor cyber security behaviours and this may be necessary in some cases, however having a positive cyber culture is the best way to drive desirable behaviours. If cyber security becomes a feared or negative subject within an organisation it is likely staff will make mistakes as they fear asking for support and acting transparently.

Building a Proactive Cyber Security Culture 

Leadership Commitment 

Leadership buy-in is essential for fostering a proactive cyber security culture. When executives demonstrate a commitment to cyber security, it sends a clear message to employees that protecting sensitive data is a top priority. This commitment should be reflected in resource allocation, policy enforcement, and the integration of security considerations into the organisation's overall strategy. If an executive exhibits poor cyber behaviour and dismisses the impact, this will poison an organisation’s cyber culture. Strong and transparent leadership drives culture!

Clear Policies and Procedures 

Establishing clear cyber security policies and procedures is crucial for guiding employees' actions. These policies should be easily accessible, regularly updated, and communicated effectively to all employees. By providing a framework for decision-making and behaviour, organisations can empower employees to make informed choices and contribute to a secure work environment. Policies shouldn’t be overly complex and should equip the audience with clear instructions and escalation points.

Enabling Feedback 

Staff feedback on cyber security should be considered. A classic example of great staff feedback we’ve recently seen at P3M Works is the request for a password manager that was raised to enable staff to keep track of their passwords and help them generate secure passwords, whilst also having a mechanism to store passwords from device to device. Staff often have great suggestions or ideas that can trigger policy/technology or process to change to better drive positive behaviour.