I know I shouldn't drink Diet Coke, but every few weeks I find myself happily sipping from another silver can. Heck, it even says right on the can, "Warning: Contains phenylalanine." But awareness of some mysterious chemical isn't going to stop me from enjoying an occasional Diet Coke; I need help changing my behavior. To borrow a line from social scientists, "Abundant research shows that people who are simply given more information are unlikely to change their beliefs or behavior." And yet, here we are again, another Cybersecurity Awareness Month: the industry's Hallmark holiday that promotes spending on cybersecurity training videos, phishing simulators, and free lunches to feed employees a smorgasbord of security education, training, and awareness. Awareness Isn't the Issue But employees are already aware of cybersecurity. It's made little difference in reducing the volume of successful cyberattacks involving the human element. It's time to shift our collective efforts from awareness to actual behaviors. Instead of a month-long campaign, we should focus on creating real-world opportunities for employees to build and flex their cyber judgment muscle memory all year long. Consider the 15-year-old pursuing that coveted freedom of a driver's license. With an outsized motivation to learn, they start in a classroom, absorbing everything they possibly can about driving, observing adults driving, and passing a written test to obtain a permit. That first time behind the wheel, a new learning curve begins - one with higher, real-world stakes. It ultimately takes months of practice, driving in all sorts of conditions, to prepare someone to drive safely on their own. Training Isn't the Answer The universal approach to addressing the human element of cybersecurity has been to "Train" employees to deal with whatever threat du jour occupies our attention. Training is preventative, theoretical, and out of context: a memo, a webinar, a campy click-through video with a quiz - all in hopes that an employee will remember exactly what they are supposed to do should a similar situation arise in some unknown future. This is not how we learn in any other context, but for some reason, we continue to pursue this failed approach in cybersecurity. To create true, lasting security behavior change, we must put our employees behind the wheel on the open Internet superhighway. Small, simple changes in how we engage employees and intervene with cybersecurity information can have an outsized impact. With additional bits of information, such as the benefits of using MFA or preempting questions or doubts, we can further encourage the desired behavior and thus, desired security outcomes. It's Time to Take the Next Step We have reached a collective fever pitch of cybersecurity awareness. It's time to take the next step toward implementing repeatable, real-world practice that ingrains positive habits and security behaviors. By leveraging our modern understanding of neuropsychology and behavioral science, lessons learned from other industries and disciplines, and emerging human-centered cybersecurity technologies, we can make cybersecurity understanding a reality today and every day.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000