Despite efforts to educate and train employees to spot cyberattacks, an all-too-familiar scenario plays out in businesses worldwide. A corporate accountant or executive with “buying power” receives an urgent email from the CEO asking for immediate payment to an external partner. The email includes an attachment and a message stressing “discretion,” “confidentiality,” and not to verify the request because the payment needs to happen immediately. The stressed-out employee quickly pays the invoice, continues on their normal workday, and is shocked when they are alerted to the scam once the security team identifies it.
Cybersecurity is both a technological and psychological challenge for businesses. No matter their tech-savviness, employees are often duped by sophisticated scams featuring various tricks and techniques that tap into their fears, hopes, and brain functions. Further, cybercriminals use information from major breaches, including Equifax, to obtain personal information about employees to customize their attacks. Corporate training and HR professionals must educate employees on identifying and remediating cyberattacks, or else the business is at risk of losing money, IP, sensitive information, or all three.
Employees Need Help Overcoming Their Cognitive Bias
Many companies deliver security training as 2-4 sessions delivered either during a new employee’s orientation or annually as a company-wide initiative. Unfortunately, due to the lack of engagement and long-form format, many employees don’t engage with the lessons and tune out valuable information that could help their employer avoid a million-dollar data breach. Knowledge retention rates drop by more than 50% when training is more than two minutes. A new path must be forged.
Human biases are innate in our nature, but that doesn’t mean organizations can’t counteract them. Corporate trainers and HR professionals must adopt new training methods that encourage conscientiousness and vigilance against the psychological tricks that are in their inboxes. The work of Nobel Prize winner behavioral economist Richard Thaler from the University of Chicago shows that decision architecture and human behavior can be influenced by “subtle nudges.” Based on indirect encouragement and enablement, the nudge theory offers curated choices that encourage people to make positive and helpful decisions despite their cognitive biases. Nudge theory values shorter, contextual microlessons over longer-format training. The methodology is now being effectively used in cybersecurity training to combat behavioral biases and improve organizations’ ability to defend themselves against customized cyberattacks.
Humans learn and respond to in-the-moment reminders about behaving securely. The best examples of this lesson in action are the password strength meters used by most retail sign-up forms. The meter slowly builds from red to green as users build out passwords that fulfill security requirements such as lower-case, upper-case, and specialty characters. Tapping into humans’ innate need to complete tasks positively influences users’ online behaviors.
Security Training Requires A Group Effort
Across the organization, people must recognize the importance of their company’s corporate security policies, understand why they are essential, identify attacks in real-time, and know the appropriate actions to remediate an attack.
These are the key traits of an effective security coaching program that leverages nudge theory:
- Help employees understand the importance of security
- Assess employees’ security aptitude and customize training to specific role requirements
- Create engaging, highly digestible educational content within employees’ normal workflows
- Flag users’ risky online behaviors in real time
- Do not overdo phishing and cyberattack simulations
- Make training an ongoing practice
- Praise employees for positive behaviors rather than punish them publicly for negative ones
- Ask for employee feedback
- Measure employee progress
A key enabler for an effective security coaching program is microlearning. To better retain security training, content needs to be engaging, relevant, and frequent. A Cornell study showed that people are more motivated and more likely to adopt a new behavior when given small tasks and immediate small rewards. This feedback is particularly effective for cybersecurity training.
Security leaders must prioritize people because they are the first line of cybersecurity defense for organizations. Using contextual nudges to remind people of their training is a helpful tool in combating sophisticated phishing and social engineering techniques that use workers’ normal brain functions against them. CISOs essentially need to detrain their users and make them more conscious of their online behaviors. Personalized coaching based on real-life scenarios enhances retention, engagement and positively influences user behavior.