Organizations have spent millions over recent decades on information security awareness activities. The rationale behind this approach was to take their biggest asset – people – and change their behaviors, thus reducing risk by providing them with knowledge of their responsibilities and what they need to do.
The ISF proposes that making people aware of their information security responsibilities and how they should respond is no longer enough. Instead, the answer is to embed positive information security behaviors, which will result in “stop and think’ becoming a habit and part of an organization’s information security culture.
The success of behavior change for information security should be measured through a reduction in risk, rather than what people know, or fail to know, and can choose to ignore.
“While many organizations have compliance activities which fall under the general heading of “security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk,” said Steve Durbin, Global Vice President, ISF.
“The time is right and the opportunity to shift away from awareness to tangible behaviors has never been greater. The C-suite has become more cyber-savvy, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management. Moving to behavior change will provide the CISO with the ammunition needed to provide positive answers to questions that are likely to be posed by the CEO and other members of the senior management team,” Durbin added.
“Today’s leaders often demand return on investment forecasts for the projects that they have to choose between, and awareness and training are no exception. Evaluating and demonstrating their value is becoming a business imperative,” continued Durbin. “Unfortunately, there is no single process or method for introducing information security behavior change, as organizations vary so widely in their demographics, previous experiences and achievements and goals.”