11 Oct 2023
by Tim Ward

Is it time to drop the security awareness moniker and focus on building secure habits?

Guest blog by Tim Ward, CEO & Co-founder at ThinkCyber #techUKCyber2023

What better time than “Security Awareness Month” to explore the need for innovation in our approach to security awareness? And we could start with the name itself!

For a start “awareness” feels too passive if we want, and need, staff to be the last line of defence. We don’t just want awareness. We want to embed secure behaviours.

Ok, so some people call it “Security awareness and education”. But perhaps that isn’t much better. Whilst there is no disputing that we need some level of education and awareness, I’d argue this isn’t purely a knowledge thing. Even experts fall for scams.

In reality, if we are to reduce risk – and we need to when 74% of cyber-attacks start with the human user! Our focus should be on engagement, security culture and ultimately, measurable secure behaviour change.

And security awareness has got a bad name for itself. There’s the eye-rolling reaction to awareness that’s been created by over long, over complex mandatory training. Through negative incentives if courses aren’t completed. And exacerbated by phishing simulations that trick and embarrass. Whilst seemingly innovative, some new tools use other data sources to, once again, tell you off after the fact – more punishment with training?

What we need is a shift in the industry to recognise that if people are allowing the bad guys in, then the organisation isn’t doing enough to help them. No more ticking the security awareness box, or ticking the phishing sims box to say your organisation has “addressed the human factor”.

What does this innovation look like? It looks like understanding human behaviour. Realising that behaviours take place in a context, and so our help and support should be in that context. Realising that behaviours are made up of elements of ability, motivation and timely triggers or cues to act. Realising that motivation is a hard lever to change and can’t just be about inducing fear (which tends to lead to inaction). And so, making secure behaviours easy, the default, or simply prompting or triggering them in the context where the threat lies can be the secret to seeing measurable secure behaviour change and building secure habits.

We can’t be wholly wrong in thinking this at Think Cyber Security having won TechUK Cyber Innovator of the Year in 2021 for our Redflags® Real-time security awareness! And the evidence is there in the data: 45% reduction in screens left unlocked, 75% reduction in links clicked in emails from unknown senders and more across just a few months.

I mention these two behaviours specifically because they have huge potential to become habits. And secure habits are incredibly powerful. When your employees have secure habits, secure behaviours are automatic and effortless; there is no security fatigue because they aren’t even thinking that consciously about what they are doing when they do the right thing.

So, enjoy “security awareness” week, month, whatever. But perhaps remember that with a behaviour change-based approach, ideally in the context where the threat lives, the “secure habits” created can be for life, not just for October.


techUK’s Cyber Security Week 2023 #techUKCyber2023

The Cyber Programme team are delighted to be hosting our annual Cyber Security Week between 9-13 October.

Click here to read all the insights

Join us for these events!

11 October 2023

Cyber Innovation Den 2023

Central London Conference

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more

Join techUK's Cyber Security SME Forum

Our new group will keep techUK members updated on the latest news and views from across the Cyber security landscape. The group will also spotlight events and engagement opportunities for members to get involved in.

Join here

Upcoming Cyber Security events

Cyber Security updates

Sign-up to get the latest updates and opportunities from our Cyber Security programme.

 

 

 

 

Related topics

Authors

Tim Ward

Tim Ward

CEO & Co-founder, ThinkCyber