2 UNDERSTANDING CYBERSECURITY AWARENESS

Jessica Barker

In this chapter, we are going to explore why cybersecurity awareness matters at the organisational level, what we mean by cybersecurity awareness and how awareness of cybersecurity has, in general, evolved over the last few decades. We will elevate this discussion so that we are not addressing awareness in isolation, but rather so that we start to address awareness in terms of its relationship with behaviour and culture – a theme that will continue throughout the rest of the book. Finally, we will address the importance of attaching metrics to awareness-raising initiatives and how to make the most of your organisational resources.

WHY WE NEED CYBERSECURITY AWARENESS

When people think of ‘insiders’ within the context of cybersecurity, most automatically think of malicious insiders. Malicious insiders are very newsworthy when it comes to breaches; disgruntled employees (or former employees) taking revenge over a (perceived) wrongdoing always grab headlines, for example. When a malicious insider strikes, they often know which information to steal, where to get the most information, potentially how to take it without being identified and what to do with it to cause the most harm or reap the greatest benefit from it. This makes malicious insiders costly for organisations. However, they are not so numerous. It is far more common for an organisation to have a breach as the result of non-malicious action, by people simply making mistakes, than it is from malicious insiders. The Verizon Data Breach Investigations Report 2020, analysing 157,525 incidents and 3,950 data breaches, reported that ‘errors’ were the causal events in 22 per cent of breaches, 22 per cent involved phishing and 37 per cent of breaches involved either the theft of credentials or used credentials that had already been stolen (Verizon, 2020).

Cybercriminals manipulating unwitting people or taking advantage of human error is generally the biggest issue for organisations, and this is why awareness is so important. In 2020, ClubCISO surveyed 100 chief information security officers (CISOs) about the cause of any material cybersecurity incidents in their organisations over the previous 12 months, as part of an annual information security maturity report. According to the results, 14 per cent of respondents said malicious insider activity was the cause of a material incident, 42 per cent reported non-malicious insider activity as a cause and 40 per cent selected malicious outsider or cybercriminal activity (ClubCISO, 2020). These latter two statistics likely go hand-in-hand, with malicious outsiders taking advantage of non-malicious insiders, for example through spear-phishing emails or poorly configured systems in which access has been accidentally left open. This highlights the importance of awareness, with non-malicious insider activity three times as likely to be identified as the cause of an incident than malicious insider activity. Indeed, we can take this a step further and argue that awareness is important for mitigating malicious insider, as well as non-malicious insider, activity: the more people are aware of cybersecurity, the more malicious activity is likely to stand out and be identified.

These statistics highlight why we need awareness in cybersecurity: while the term may sound like a very technical one, much of cybersecurity involves people. Whether at the corporate or personal level, we cannot force people to behave securely online, but they, and we, may suffer if they do not. In this way, cybersecurity is much like public health. We cannot force people to be vaccinated, regularly wash their hands, cover their mouths and noses when they sneeze or engage in the other day-to-day activities that help prevent the spread of diseases. But, if people do not engage in those activities, they are more likely to catch and spread infectious diseases. For the better protection of individuals, organisations and countries, we need to effectively raise awareness of cybersecurity across the board. This involves understanding what has an impact, to such an extent that people don’t merely listen to what we have to say but are influenced by our communications, to the degree that they are intrinsically motivated to act in security-positive ways.

Awareness can be understood in many different ways and has long been the subject of analysis in the social sciences. Many initiatives in society seek our awareness, from public health campaigns to advertisements, and organisations often need employees to be aware of various issues too. The success of awareness-raising initiatives varies wildly. In this chapter and the next, we will look at what we can do to raise awareness of cybersecurity (the ‘A’ of the cybersecurity ABCs) in a manner that has a positive impact on behaviours and cultures.

INTRODUCTION TO CYBERSECURITY AWARENESS

How do we define ‘cybersecurity awareness’? Is it awareness of the threats? Or awareness of the best practices to follow to be more secure online?

In the previous chapter, we looked at the NIST definition of awareness, taken from the Special Publication 800-16, which describes awareness as something largely passive, that is intended to focus individuals’ attention on IT security concerns so that they can respond accordingly.

If we look to ‘cybersecurity’, the Oxford English Dictionary describes this as: ‘The state of being protected against the criminal or unauthorised use of electronic data, or the measures taken to achieve this.’

Therefore, we can understand ‘cybersecurity awareness’ to be: focusing individuals’ attention on protecting against the criminal or unauthorised use of electronic data, so that they can respond accordingly.

When raising awareness of cybersecurity, I have seen many organisations focus solely on the threats. Of course, we must address the threats when we communicate about cybersecurity but taking a narrow view on this can limit the success of your awareness-raising programme.

For example, over the last few years, I have seen many organisations focus wholly on raising awareness of phishing attacks via email. This is a threat that individuals need to be aware of, with social engineering representing a huge issue for many organisations, but a holistic approach to awareness-raising, which includes phishing, will be more effective in long-term awareness, behaviour and cultural change than narrow campaigns like this. When I ask end users how they define cybersecurity, those in organisations that have focused on phishing at the cost of wider awareness-raising will often give very limited answers, with a perception of cybersecurity that stops at malicious links and attachments in emails. Meanwhile, social engineering attacks are increasingly utilising phone calls (often called vishing), messaging applications and social media platforms. If we focus simply on social engineering via emails, for example, then we leave people more exposed to attacks when cybercriminals evolve their methods.

The threats from cyber insecurity are evolving, and change frequently, with new threats sometimes emerging on a daily basis. Effective cybersecurity awareness-raising switches people’s mindsets on to security in general, rather than raising their awareness merely with regard to a few current threats.

Awareness of cybersecurity has transformed in recent years. In the late 1990s and early 2000s, there was a trend of films specifically about hacking, including Hackers, The Net, Swordfish and The Matrix series. From 2010 onwards, more films have incorporated cybersecurity as an element in the plot, an integral and interwoven part of the narrative, such as The Girl with the Dragon Tattoo series, James Bond: Skyfall and Fast and Furious 8. This parallels the mainstreaming of cybersecurity more generally, with a recognition that internet technology is now an established part of our lives and security issues come part and parcel with that. Cybersecurity is also a prominent topic in the news, with regular reporting of data breaches and cyberattacks hitting the headlines. This has generated more awareness of the field in general. Cybersecurity is now a household topic of conversation (although understanding and engagement are still lacking).

To start thinking deeply about cybersecurity awareness, it can be helpful to first consider the concept of situational awareness. Situational awareness can be understood, essentially, as the ability to know what is happening around you. It is a concept that will be familiar to pilots, who must maintain a constant awareness of the operation of the airplane they are flying at the same time as remaining aware of changing environmental factors. In terms of cybersecurity, we want people to be aware of what is happening around them while they handle information and engage with technology, whether this is opening emails, using social media or discussing work with a colleague while on the train.

The growth in reporting of cyberattacks and data breaches has also led to more emphasis on awareness at the company level. Board members read about cybersecurity threats and attacks in newspapers and question their security and IT staff about how their company fares in relation to the news stories they have digested. Many of my clients have had their board actively request more cybersecurity awareness-raising and bring questions to their CISO based on articles they have read in the press.

I recently delivered a session to the board of a global law firm, including live demonstrations of password cracking and a spear-phishing attack, in which the majority of the executives stayed for half an hour longer than the scheduled session, making themselves late for their next meetings, to ask questions and seek further advice. Even just a few years ago, this kind of engagement was very hard to find.

SENIOR-LEVEL BUY-IN AND ENGAGEMENT

Senior-level engagement is a highly influential factor in the success of an awareness-raising campaign. When people work in an organisation, they often look to how their bosses are behaving to determine what is expected and acceptable, and what is not, in their own behaviour. Social proof is the phenomenon of people modelling their behaviour based on how they see others behave, and when it comes to social proof, people we respect, or who are in a position of authority, are more influential on our behaviour (Cialdini, 2007). This has parallels with social learning theory, which describes the way in which new patterns of behaviour are acquired by observing the behaviour of others (Bandura, 1971). In the (ISC)2 Awareness, Behaviour and Culture Workshops (ABC Workshops) of 2017, participants (who were cybersecurity professionals from different organisations) described senior executives in their organisations jumping over security barriers because they had forgotten their access badges, saving passwords to Excel files and asking for company information to be emailed to their personal email accounts. This frustrated participants, who recognised that when their senior leadership show disregard towards the cybersecurity policies it undermines their efforts to effectively raise awareness, change behaviours and positively influence cybersecurity culture.

Senior executives are also an attractive target for cybercriminals. They have access to a lot of information and money, and they have authority and influence that can be exploited in social engineering attacks. They also often have high personal net worth, and so can be a target for many different reasons. Given these factors, and the power of social proof and social learning, effectively engaging with the senior level of an organisation is fundamental to cybersecurity awareness and behaviours in an organisation as a whole.

To engage with senior executives, follow the same approach as with any other audience: make it relevant to them and speak their language. Technical jargon will not cut it here; speaking in business terms will have much greater impact. So, rather than focusing on vulnerabilities, focus on the impact of the vulnerabilities in terms of the particular organisation. Wherever possible, put this in financial terms. Use case studies from your own organisation, or from organisations in the same sector. Make it clear that cybersecurity is not just a technical subject that the IT team can ‘fix’ – for example, if there is a data breach, will it be the IT team who write the press release? Of course not; it will be the public relations (PR) and communications experts. This is just one example that highlights that cybersecurity is not simply an IT issue. Talk about solutions, what defences are currently working and where you need action and investment.

AWARENESS ALONE IS NOT THE ANSWER

We are at a stage where awareness of cybersecurity has indeed never been higher. In the ABC Workshops we conducted over four conferences in 2017, we surveyed 118 information security professionals drawn from the participants: of these, only 5 per cent were from organisations that carried out no cybersecurity awareness-raising activities. Most organisations, regardless of size or sector, will now undertake some form of activities to raise awareness of cybersecurity among their workforce.

However, this is not to say that understanding of cybersecurity is high or that behaviours and cultures have been transformed. Awareness alone does not necessarily change behaviours: if it did, fast food restaurants would have gone out of business a long time ago. It is possible to be aware of something but to behave in a way which is at odds with that awareness. With this in mind, the objectives of a cybersecurity awareness campaign should always be to change behaviour for the better and to strengthen cybersecurity culture. To achieve this, we need to consider how we raise awareness in a deeper, more meaningful and more engaging way.

When I begin planning an awareness-raising campaign with a client, I always start with culture. What kind of cybersecurity (and wider) culture do you have in the organisation and what kind of cybersecurity culture do you want? Then, I move back a level. What kind of behaviours would reflect that culture? Once those have been identified, we have an idea of the outcomes we are aiming for with the awareness-raising campaign: we want to see the identified behaviours as a result of a shift in understanding about cybersecurity.

If we want awareness-raising to be deeply effective, then we want it to engage in shifting the understanding about cybersecurity to such an extent that it positively influences behavioural change. To achieve this, I have identified core questions that we can consider when planning an awareness campaign. We not only need to start with why, but we need to end with it, too, to inspire people to engage in the messages we are spreading (Sinek, 2011). In this way, it fits perfectly with the NIST definition of awareness, by focusing individuals’ attention on IT security concerns so that they can respond accordingly. For awareness-raising to be most impactful, it should answer the following questions:

In considering these, we need to answer the inevitable question: Why would cybercriminals want my data? There are two levels to this. First, why the individuals may be targeted. People often lose sight of the value of the information that they are handling, or fail to consider that the small company they work for may be targeted as a route to their big clients, or simply do not understand that their access to the network could provide a pivot point for criminals to move throughout the rest of the system. Second, there is also often a lack of awareness regarding the non-targeted nature of many cyberattacks (for example, evidence suggests that the UK National Health Service (NHS) was not targeted with the WannaCry attack in May 2017, but being a victim of the attack cost the NHS £92 million and over 19,000 patient appointments had to be cancelled as a result of it; Cyber Security Policy, 2018).

The intangible nature of cyber insecurity is one of the key challenges we face when raising awareness. Cybercrime is not something that most people see and feel until it happens to them. Even then, many individuals and organisations can be a victim of cybercrime for a long time before they discover it, if they discover it at all. Beyond this, many people work with computers, but don’t necessarily understand computers. This means they may find it hard to intuitively understand how something as seemingly innocuous as clicking links or reusing passwords could be so fundamental in enabling cybercrime.

We have also made cybersecurity burdensome for end users. Telling people not to click links? That is a core part of using the internet and, for many, fundamental to their ability to do their job. Advising people to use a different, complicated, random and long password for each of their accounts? When many people have more than 20 or 30 accounts (perhaps even more than 100), this becomes impossible without writing them down, storing them in an electronic file or using a password manager. Yet many cybersecurity professionals remain unwilling to consider that writing passwords down may be the best solution for many home internet users. Understanding of password managers is also very low: many people are not aware of what they are or why they would be less risky than reusing weak passwords across all of their accounts. It is the same with two-factor authentication (2FA): in a survey of 1,000 people in the UK, which I conducted in 2019, 62 per cent of people did not know what 2FA is and only 26 per cent of people were using it.45

Having delivered awareness-raising sessions to tens of thousands of people in the last two years alone, I have found that live demonstrations of cyber insecurity are one of the most engaging and effective awareness-raising activities possible. When people witness password cracking, for example, they understand the importance of strong and unique passwords in a way that no theoretical explanation can match. The danger of live demonstrations of cyber insecurity is that they are scary. In the following chapter, I discuss the psychology of fear and the importance of carefully handling fear-based responses to your awareness-raising activities. The key to this, and to awareness-raising activities in general, is empowerment. It is imperative that we communicate in simple terms what people can do to better protect themselves from the threats we have been demonstrating. Central to this is providing the tools that people need to engage in the behaviours we recommend. For example, if you raise awareness of spear-phishing emails, it is important to communicate what people should do if they receive a suspected phishing email or if they are worried about a link they’ve clicked on or an attachment they have downloaded (a good ‘report a phish’ process is fantastic, for example with a ‘report a phish’ button in email clients). If you’ve delivered a password-cracking demonstration, simply telling people that they need to use unique, random and complicated passwords for each of their accounts will not suffice. How will they do that? Does the organisation provide them with a password manager, and will there be workshops and simple, concise guidance to get people up-and-running?

Cybersecurity awareness-raising can too often focus on problems, when we need to emphasise solutions. We must not forget that NIST defines awareness as focusing individuals’ attention on IT security concerns so that they can respond accordingly (emphasis author’s own).

UTILISING METRICS

Working on the human side of cybersecurity, one of the most common questions I hear is ‘how can you measure any of this?’ We are an industry that likes data, and I often encounter the perception that technical defences can be measured but human defences cannot. This is far from the case. Any measurements in cybersecurity are far from 100 per cent reliable as we are inherently dealing with ‘unknown unknowns’. We make the best of the data that we have when it comes to everything from the number of attacks, attribution of attacks, cost of incidents and ability of technical controls to mitigate the risks. The same should be true of awareness, behaviour and culture; let’s consider what data we can get and let’s make the most of it.

There are many solutions to facilitate the setting and monitoring of metrics in cybersecurity.

At Cygenta, the company I co-founded, the approach we take is to consider key areas of culture, analyse how individuals perform in relation to those key areas and see how this changes according to training and other communications.

It is imperative not to approach the setting of metrics as an avenue to attribute blame to the individuals (gross misconduct, malicious behaviour and neglect aside, of course). Instead, see this as a way of understanding what works, and what doesn’t, when it comes to your awareness-raising initiatives. Identify the behaviours that you want to see change, measure those behaviours, conduct an awareness-raising activity, then measure again. Repeat this approach and before too long you will have a good data set with regard to your awareness-raising endeavours. This should be extremely helpful in identifying what works (and what does not) and may also provide useful metrics to be reported to senior executives, for example if you are seeking more investment to boost the awareness-raising budget.

MAKING THE MOST OF YOUR RESOURCES

When it comes to awareness-raising, we often have to make the most of what we have. It is common for resources to be restricted in one way or another, so how can we make the most of our resources?

Budget

Budget is a frequent challenge in cybersecurity overall, and often in human-based approaches in particular, which is why metrics are so valuable. When you can prove that your awareness-raising activities are having a positive impact on mitigating risks, you are in a much stronger position to defend or increase your budget.

If you’re in a small organisation, you don’t have to spend a great deal of money on awareness-raising to have a big impact. Make cybersecurity a standing item on the agenda at team meetings and discuss a cybersecurity story that has hit the headlines by explaining what has happened, what the impact was and how it could relate to your organisation. If you’re in a large organisation, work with your colleagues across the business to identify any campaigns where your messaging is aligned with theirs. For example, some organisations run sessions on digital wellbeing as part of wider wellbeing and health weeks, and that way they can bring cybersecurity awareness-raising to the fore in other campaigns.

Computer-based training

I am frequently asked how organisations that lack resources (time and people, as well as money) can improve their awareness-raising training. A lot of organisations attempt to solve this problem with computer-based training packages. However, these solutions are not all created equal. Many have not been designed with a people-centric approach and so fail to tackle the important questions I listed above (the whys, hows and whats) and therefore inevitably fail to engage or challenge people. When this is the case, they become a ‘click-through’ and forgettable experience that will have no positive impact on cybersecurity behaviour or culture. Poorly designed computer-based training will most likely make your job harder, adding to the perception that cybersecurity is dry, onerous and something to be avoided or dismissed as quickly as possible.

When designed with people in mind, computer-based training can be a great addition to your toolset, enabling you to reinforce and scale your efforts. The training should be digestible, engaging, fun, informative and people should be tested (truly tested, not a test they can easily brute force, for example, with tests that always include the same questions and answers, so people can simply retake the test until they pass it), making use of multi-media elements as much as possible.

Cybersecurity champions

A cybersecurity champion or ambassador programme is another way of scaling up awareness-raising activities in organisations. A champion programme follows a similar approach to health and safety in many organisations. People who are not experts or specialists are recruited to represent cybersecurity in their team or department. I have seen this approach reap many benefits, with champions facilitating better two-way conversations between the business and the security team, greater reporting of incidents and a more effective flow of awareness-raising communications. When managed well, and in the right culture, a champions programme can amplify your messages and extend their reach.

However, there are some general points to take into account when considering whether a champions programme would work for you and your organisation.

First, who will be the champions and how will you recruit them? It is usually an unpaid, volunteer position and is best not implemented as a ‘police force’. The organisations that I have seen successfully implement a champions programme have recruited people who have asked frequent questions of the security team, reported incidents, enquired about security at home as well as at work, or expressed an interest in transitioning their career to security one day.

Champions need to be kept engaged, so it is worthwhile considering how you will keep them motivated. Some great mechanisms for this are extra training, emails to their line managers highlighting their contribution to the programme, support for better security at home and, of course, goodies, which are often well-received. Some champions programmes use a mascot, selected by the champions themselves, and featured on mugs, T-shirts and stickers that are given to the champions.

No amount of goodies will make up for a lack of support, however, and so this is one of the most important considerations. While you would not expect the champions to be experts, and this is not the idea behind the concept, they will most likely want to be equipped with a decent general level of understanding about cybersecurity. How will you provide them with some training and communications? For example, you could consider whether it is feasible to occasionally bring in an external speaker on cybersecurity to run a session for the champions, or explore whether they can have a day a year at a local cybersecurity conference. These are a couple of ideas that should keep your champions engaged and fulfil some training requirements. However, you will likely still receive questions from them, either directly or which they have received from their colleagues: how will you manage those?

If possible, it is a good idea to have a forum, say on your intranet, or group in an instant messaging service (for example, if your organisation uses Slack or Teams) where the champions can communicate with one another, asking and answering questions among themselves. This is an empowering approach that also offers the opportunity to reduce the burden on you.

A champions network may enable you to scale up your awareness programme, but it does still place demands on your time, with regard to training and supporting the champions themselves. It is worth acknowledging this up-front and being realistic about the amount of time you have available, whether you can rely on other team members to support you in delivering the champions programme or if there are self-sustaining mechanisms you can put in place, such as the forum example above.

SUMMARY

In this chapter, we have looked at why cybersecurity awareness matters, how we can define and understand awareness and how it has grown over the last few decades. We have also started to address how awareness fits with behaviour and culture, which will be an ongoing theme of this book. We have looked at how to make your awareness-raising initiatives more impactful, for example with an effective champions programme. In the next chapter, we will look at other ways to build awareness and how to do this without evoking negative psychological responses to discussing a subject that arouses fear.

NEXT STEPS

Let’s look at some next steps for you to review in terms of awareness-raising in your organisation: