Punishing users is the wrong approach to improving security behavior

Punishing users for undesired security behavior? We believe that punishing users is a misguided idea that will alienate them and make it difficult to ever improve user security behavior. Every so often, someone in the industry brings up the idea of punishing users as a way of motivating/improving behavior. We hadn’t heard much on this topic since we wrote a post on it back in September; however, it has flared up again.

Popular holiday-themed phishing attacks

The holidays are a busy time for everyone… especially for hackers trying to phish your employees. Phishing is most effective when it exploits human emotions—fear, greed, anxiousness, curiosity, compassion, getting a good deal—and the holidays tend to bring these emotions out more than other times of the year. This gives adversaries a bevy of relevant topics to use to build phishing campaigns.

How can you ensure your employees are prepared for the onslaught of phishing attacks this holiday season? We’ve mentioned before that training your employees needs to be continuous, and if you have provided immersive security awareness training throughout the year, your employees will be more resilient to phishing attacks at all times. We’ve also noted the need to keep that continuous training fresh, and providing holiday themed training is a great way to provide training that is engaging and timely.

Effective security awareness includes everyone

I’m often asked which employees are most likely to be targeted by phishing emails. It’s interesting to think about, but the truth is that adversaries will target whichever employees can offer access to the enterprise’s network—and that could potentially be anyone in your organization. Recent research from ProofPoint confirmed this, finding that staff-level employees were targeted by phishing attacks more often than middle and executive management.

The takeaway here is that for security awareness to be effective, it needs to include everyone in your organization. Aside from the obvious security necessity, including the entire organization in your security awareness initiatives enhances your program in a number of ways.

How do you make security awareness engaging?

Think back to all of the corporate training you’ve sat through during your career. Chances are (especially if you’ve worked at a large enterprise), that some of that training had little relevance to your job duties. How much knowledge from those courses did you retain? Although you technically completed the training, would you have been able to apply any of the information you were given in real life?

For many employees, security awareness training falls into this category. It’s something they probably don’t care about, and that doesn’t help them do their jobs. This is why traditional awareness training has failed. Users will do what they have to do to get through the training, check the box, and get back to their regular jobs. Their security awareness training is now a distant memory buried in a pile of other dull corporate training they’ve been forced to endure over the years.

Negative reinforcement: How NOT to improve user behavior

One of the interesting aspects of security awareness training is the intersection of information security with human resources. We know from experience that security practitioners are not always experts in the latter, but what we recently saw from Dave Clemente was a real doozy.

Clemente suggested that employees who engage in unsafe IT security behavior (such as clicking on phishing links) be reprimanded and that unsafe behavior should even negatively affect their performance review. To the security part of your mind, it might feel good to punish people for their security sins. We need to remember, however, that the ultimate goal of security is to protect a network, not give users a reason to DDoS it.

For effective security awareness, keep it focused

Switch book coverIn their book, “Switch: How to Change Things When Change is Hard” authors Chip and Dan Heath examine how influencing humans to change requires appealing to two parts of the brain: the rational and the emotional. Since the emotional part of our brain often gets frustrated when asked to make huge changes, Chip and Dan recommend that we “shrink the change” to change behavior in the face of resistance.

The Heaths cite financial guru Dave Ramsey’s “Debt Snowball” strategy as an effective example of shrinking the change. For people mired in a mountain of debt, this strategy advocates paying off their smallest debts first – regardless of interest rates. Although this flies in the face of conventional financial wisdom, it is a lot easier for people to remain focused by paying off a $200 debt than it is to pay off $200 of a $20k debt. It’s easier for our brains to process manageable changes, and when we feel like change is manageable, we’re more likely to implement it.

To make training stick, immerse employees

When aspiring pilots go through flight school, they learn both in a conventional ground setting and using a flight simulator. On the simulator, new pilots are immersed in the experience of flying, and receive real-time feedback about their decision making. Not surprisingly, the simulator is seen as a more effective training tool than conventional classroom training.

One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain. Training users to avoid risky security behavior is not nearly as complicated as teaching someone to fly a plane, but just like with pilots, immersive training that simulates the kind of attack methods employees face is a more effective way to conduct security awareness.

Syrian Electronic Army continues to carry out successful data-entry phishing attacks

When the Syrian Electronic Army nailed a number of prominent media outlets earlier this year, we were pleased to see a number of open and honest responses from those that were breached, notably from The Onion and The Financial Times.

Last week, the SEA was at it again, successfully hacking content recommendation service Outbrain, an attack which provided a foothold to compromise media behemoths The Washington Post, Time, and CNN. The SEA attacked Outbrain with largely the same tactics it has used so successfully in the past few months, by eliciting log-in credentials through a phishing email, the same tactics PhishMe simulates in our data entry scenarios.

Do young employees present a phishing risk?

Spring. For some it signals rejuvenation, rebirth, everything blooming…but for security administrators it can mean new security risk. Spring means that the next round of college seniors will be entering the workforce soon, which for phishers means a fresh group of targets. Hopefully their college educations have prepared them for the majority of challenges they will face, but when it comes to phishing that is unlikely. The types of phishing emails students and consumers receive are quite different from what employees receive, and without training, young employees can’t be expected to avoid tactics they haven’t seen.