Is it time to drop the security awareness moniker and focus on building secure habits?

Guest blog by Tim Ward, CEO & Co-founder at ThinkCyber #techUKCyber2023

What better time than “Security Awareness Month” to explore the need for innovation in our approach to security awareness? And we could start with the name itself!

For a start “awareness” feels too passive if we want, and need, staff to be the last line of defence. We don’t just want awareness. We want to embed secure behaviours.

Ok, so some people call it “Security awareness and education”. But perhaps that isn’t much better. Whilst there is no disputing that we need some level of education and awareness, I’d argue this isn’t purely a knowledge thing. Even experts fall for scams.

In reality, if we are to reduce risk – and we need to when 74% of cyber-attacks start with the human user! Our focus should be on engagement, security culture and ultimately, measurable secure behaviour change.

And security awareness has got a bad name for itself. There’s the eye-rolling reaction to awareness that’s been created by over long, over complex mandatory training. Through negative incentives if courses aren’t completed. And exacerbated by phishing simulations that trick and embarrass. Whilst seemingly innovative, some new tools use other data sources to, once again, tell you off after the fact – more punishment with training?

What we need is a shift in the industry to recognise that if people are allowing the bad guys in, then the organisation isn’t doing enough to help them. No more ticking the security awareness box, or ticking the phishing sims box to say your organisation has “addressed the human factor”.

What does this innovation look like? It looks like understanding human behaviour. Realising that behaviours take place in a context, and so our help and support should be in that context. Realising that behaviours are made up of elements of ability, motivation and timely triggers or cues to act. Realising that motivation is a hard lever to change and can’t just be about inducing fear (which tends to lead to inaction). And so, making secure behaviours easy, the default, or simply prompting or triggering them in the context where the threat lies can be the secret to seeing measurable secure behaviour change and building secure habits.

We can’t be wholly wrong in thinking this at Think Cyber Security having won TechUK Cyber Innovator of the Year in 2021 for our Redflags® Real-time security awareness! And the evidence is there in the data: 45% reduction in screens left unlocked, 75% reduction in links clicked in emails from unknown senders and more across just a few months.

I mention these two behaviours specifically because they have huge potential to become habits. And secure habits are incredibly powerful. When your employees have secure habits, secure behaviours are automatic and effortless; there is no security fatigue because they aren’t even thinking that consciously about what they are doing when they do the right thing.

So, enjoy “security awareness” week, month, whatever. But perhaps remember that with a behaviour change-based approach, ideally in the context where the threat lives, the “secure habits” created can be for life, not just for October.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more