Cybersecurity Awareness Should Be People-Centric, Too

  • 13 March 2020

The first speaker at Tessian Human Layer Security Summit on March 5 was Mark Lodgson, Head of Cyber Assurance and Oversight at Prudential

He started his presentation by citing three fundamental flaws in cybersecurity awareness training:

  1. It’s boring
  2. It’s often irrelevant 
  3. It’s expensive 
“We knock out CBT (computer-based training) for 20 minutes, put a test at the end of it, and we expect ‘Johnny’ to be grateful for having spent that time in the training and to have been thoroughly entertained.”
Mark Logsdon Head of Cyber Assurance and Oversight, Prudential

So, should we do away with it entirely? Not quite.

Cybersecurity training is a necessary evil

Cybersecurity professionals who implement training programs and employees who take part in these training programs can no doubt attest that the three flaws Mark mentioned are an unfortunate reality. 

But, what’s the solution? Training is, after all, a necessity. Without it, employees would rely entirely on often small and overworked IT and cybersecurity teams to prevent incidents and mitigate the consequences afterward. 

That’s not just a tall order; it’s completely unfeasible, especially when human error is the most prevalent cause of data breaches. That means every individual must be held accountable. 

By educating employees about data privacy laws, password best practices, and how to spot phishing scams, cybersecurity becomes the collective responsibility of the organization, not just those who have a relevant title.

With that said, Mark isn’t suggesting that organizations do away with cybersecurity awareness training. Instead, he’s saying that in order for it to be effective, it needs to be aligned to the individual business. 

To do that, you have to get to know the business, the people in it, and their attitudes towards security. And, according to Mark, the best indicator of future behavior is confidence.

The cybersecurity culture survey

“A survey respondent who answers a question incorrectly with 100% confidence is just as likely to make a mistake as a survey respondent who answers a question correctly with less than 100% confidence.”

Influenced by the work of Phillip Tetlock, Mark created a survey with predictive power. But, unlike your average survey that simply gauges knowledge, this survey gauges confidence.

 Importantly, the survey focused on five key competencies:

  1. Business focus
  2. Cyber risk assessment
  3. Policy and best practice
  4. Cybersecurity advocacy
  5. Personal practice

The thought process is simple: a survey respondent who answers a question incorrectly with 100% confidence is just as likely to make a mistake as a survey respondent who answers a question correctly with less than 100% confidence. Both responses signal the potential for equally risky behaviors.

Beyond that, though, the responses – either correct or incorrect – represent an area that requires targeted training and intervention.

How can you apply this to your cybersecurity strategy?

While Mark shared the results of the survey he conducted (which you can see by watching the full presentation on our YouTube channel) his findings won’t help cybersecurity professionals fine-tune their own training.

The key here is that awareness training needs to be customized. 

Without gauging not just the knowledge but the confidence of your employees, you’re essentially blind to the cybersecurity risks within your organization. And, of course, your efforts run the risk of being deemed “boring”, “irrelevant”, and “expensive” with no tangible upside.

For more insights garnered from Tessian Human Layer Security Summit, click here

#HumanLayerSecuritySummit20