Chief information security officers increased their investments in making employees aware of data risks by 44% in 2015, faster than the 29% growth last year, according to recent CEB data.
Spending reached nearly $3,000 per 1,000 IT users in 2015, up from about $2,000 last year. To ensure that this fast-growing chunk of money is used well, chief information security officers (CISOs) need to know how well their awareness program is working and, ultimately, whether employees are doing the right thing.
More Effort Means Less Secure
CEB data show that most employees (over 90%) get the essential security actions right. For example, they rarely – if ever – share passwords with colleagues, leave sensitive information on their work desks, or copy or email sensitive files to their personal accounts to work on from home.
But far fewer employees do the secure thing if it requires effort, or if it’s seen as a burden. For example, having to remember all those annoying passwords is burdensome, so that up to 35% to 40% of employees opt for the insecure but conceivably easier course of action, which is to write down their passwords.
This is also true for “click-or-not-to-click” decisions that require making an extra effort, such as checking the security of non-corporate software before downloading it. Since it requires an extra step to check, at least a quarter of employees fail to do so. There are other reasons why employees behave insecurely, but the burden of behaving securely is often the most common reason.
Three Ways to Help Employees Behave Securely
By keeping in mind what causes employees to behave the way they do, the CISO (or firm’s “awareness lead”) should prioritize three things to change insecure behavior.
Use incentives more often: Incentives are powerful, but underused. Negative incentives (e.g., warning from the information security team or the employee’s manager, revoking IT privileges, or negative employee reviews for related MBOs) are more powerful than positive incentives (e.g., gift cards, extra paid time off, or public recognition).
Either way, most employees say they have never been given positive or negative incentives to behave more securely; CEB data show only 6-7% of employees are offered incentives.
Make messages short and to the point: Keeping messages simple and direct makes them stick. Underscore what’s in it for the employee to behave securely and the potential consequences of behaving insecurely.
Data can be persuasive and memorable, so citing examples of other companies where information has got into the wrong hands – especially scary statistics – motivates employees to pay attention.
Use experiential training: Employees are far more likely to understand and remember what to do if they take part in simulations of real-world dilemmas that require them to choose the secure course of action. This can be done with web-based tests or in a classroom.
While it may be harder to provide simulations than write an email for all employees, it’s more effective because simulations will give employees a chance to make a mistake, and we all retain knowledge better when we have learned from a mistake.