Training is not enough: changing information security culture and behaviour
March 7, 2019

Changing organisational culture is not a ‘technical’ task to be engineered into place. It requires an understanding of how motivation, incentives, leadership and governance interact to trigger behaviours – desired and undesired. Shaping a positive information security culture and behaviours is a combination of a person’s motivation, ability, and perhaps most importantly, the permission to behave positively.

In our prevailing information security culture, humans are viewed with deep distrust – they are variously positioned as malicious, complacent, and/or ignorant. This mindset positions people as a feature of information security in a very specific and negative way. Information security culture becomes focused on control and compliance.

How might we approach reshaping this culture such that people are a source of strength in information security?

Training is necessary but not enough

Education, training, and communications are the three methods most relied on by firms looking to improve information security awareness. And, all three are necessary but they are also passive. In delivery, they are often general in nature, sporadically delivered with limited follow-up, and alone do not lead to a change in behaviour.

Phishing simulations are another common educational technique to raise employee awareness of security issues. Again, alone they are not enough and there is little reliable information on the value these simulations make to either raising awareness or changing behaviour. They are assumed to be ‘good’. A potential unintended consequence of phishing simulations is to raise paranoia among employees which could lead to unintended negative workplace behaviours and reinforce a compliance culture in which the organisation is playing a ‘gotcha’ game with employees.

Consistently, surveys evaluating the training effectiveness in information security suggest that training is not cutting through. For example, a global survey conducted in 2017 over 2,600 professionals who handle confidential data at companies with 250 or more employees showed that 72% of employees are willing to share sensitive, confidential, or regulated company information. In 2018, the ISACA/CMMI Institute Cybersecurity Culture Report found that only 34% of the over 4,800 business and technology professionals surveyed believe the workforce clearly understands their role in achieving the organisation’s desired cybersecurity culture.

Training is necessary but alone it is not enough. And, there seems to be little else in the bag of culture and workforce strategies available to those responsible and accountable for information security.

Change behaviour, change culture

Organisational culture is built on a thousand small interactions, decisions and actions taken every day by individuals. To effect a change in behaviour we need to influence both ‘what people think’ and ‘what people do’. Our approach is to design tools to support culture change in a way that informs, motivates, and evokes the emotions of individuals—leaders and employees. Ultimately, we want people to move naturally in the direction of the desired change.

To achieve this, we need to create the conditions for a change in behaviour and make sure the opportunities to engage in the transition are as seamless and easy as possible. For example, a highly motivated employee, might be compelled to undertake a behaviour, but not be afforded the opportunity and ability to do so; while another employee may have tremendous opportunity to undertake a behaviour, but not have the motivation to do so. Highly motivated employees who are not supported by leaders cannot succeed in changing their behaviour or the culture. Similarly, highly motivated leaders cannot succeed if employees are not willing to (or don’t know how to) engage in change. To achieve the desired culture, there is a need to influence both employee and leader behaviour in a way that is mutually reinforcing.

Information security training treats all employees equally. Rather than motivating employees to participate positively in protecting and sensitive and confidential information security training underwrites a compliance culture that has the negative side-effect of discouraging accountability and instilling indifference.

Culture change requires a sustained focus on the motivation and ability of audience you are trying to reach. It relies on detailed understanding of both ‘what people are thinking about information security’ and ‘why they are behaving the way they are’. This provides the foundation for building information security into organisational culture in way can integrate, target and make best use of existing education, training, communications, and other activities such as simulations.

It is time for a more sophisticated and strategic approach to information security. The evergreen response of ‘more training’ is not going to be enough. Leaders are looking to leverage new technology to increase capability. Greater connectivity is a central characteristic in our evolving technologies. As our workforce acquires new information, they will be well best placed to see new opportunities but, and perhaps most importantly, they will also be acquiring new connections. People, not technology, are the source of resilience and adaptability in our organisations. Consequently, the organisational culture we wrap around our information security needs to evolve with the technology and the workforce.

In 1996, just as today’s world of hyper-connectivity was emerging, philosopher of technology Langdon Winner observed, ‘to invent a new technology requires that … society also invents the kinds of people who will use it’. We need to invest strategically and comprehensively in finding a way forward to a more positive approach to information security that places people and culture at the centre of an information security system that is more resilient, adaptive, and effective.