5 tips for security behavior management programs

Security awareness has long been a point of frustration for information security professionals. While many organizations conduct awareness training of some kind, they have struggled to develop effective training, as posters and knick-knacks urging employees to change passwords frequently have failed to improve their security behavior. Consequently, employee behavior continues to be a common cause of data breaches, with some in the industry even concluding that improving user behavior is impossible.

Improving user security behavior is not impossible; but it does require a change in approach. These five tips provide a roadmap for establishing a security behavior management program that measurably improves security posture.

1. Immerse your audience
When pilots are learning to fly a plane, the most effective training comes from the flight simulator. Teaching employees to practice safe security behavior isn’t nearly as complicated as teaching someone to fly a plane, but the learning principle is the same. Avoid passive training initiatives and instead immerse recipients in the experience by simulating a real-life situation. Provide instant feedback to reinforce the key points, and repeat the process periodically to increase memory retention and create a culture of security at your organization.

2. Keep it focused
Security awareness programs often overwhelm employees by addressing a variety of security topics ranging from password complexity to USB policies to physical security. Focus on threats that are most likely to occur, could potentially affect your organization’s most valuable assets, and can’t be addressed by a technical control. Spare your employees the pain of having to learn about topics that won’t directly improve security or be a benefit to them.

3. Engage your audience
For many employees, security awareness is something that doesn’t help them do their jobs. Users will do what they have to do to get through the training and get on with their day. Keep recipients engaged by starting off with a simple, specific message, and keep it going by varying the content and delivery method of your training. Make it a positive experience by recognizing those who have done well and offering support to those that need additional help.

4. Use metrics
Traditional security awareness initiatives such as posters, classroom and computer-based training, and employee giveaways often lack measurable results. Programs that collect metrics about behavioral change can guide effective decision-making with the data to back it up. Metrics can provide statistics on user susceptibility, the effectiveness of different training efforts, and insight into attacks aimed at your network.

5. Go beyond compliance
While compliance is a requirement for many organizations, compliance does not equal security. Security awareness has traditionally been associated with the compliance side of security, and the tried and true methods of security awareness are good at achieving compliance. For user security training to be truly effective, it needs to do more than check the compliance box by focusing on current threats and evolving with the threat landscape.

Following these tips by providing engaging and immersive training that focuses on the most relevant threats will form the foundation of a security behavior management program that will positively impact users, IT security, and the security culture at your organization.