Companies are starting to take a new approach to getting employees to be more vigilant about cybersecurity. Instead of punishing employees when they make mistakes, they’re rewarding them when they do something good.
The problem, security experts say, is that the usual security training is a big turnoff for employees. Most of the time, all it does is try to instill fear of clicking on suspicious links or using weak passwords. But research shows that approach doesn’t work. Even with training, employees are still prone to making simple security mistakes that leave a company vulnerable to damaging hacks.
Now some companies are abandoning the stick for the carrot. In some cases, they’re using games, contests and prizes to teach employees lessons about staying safe. Others are sticking with more familiar training methods but rethinking them so that employees feel more comfortable with the instructors. And research suggests the new approaches are working.
The current training sends “the wrong message,” said Amadeus Stevenson, chief technology officer of education-technology company Decoded, at a recent industry conference in New York City.
“Ask a young colleague to do word association,” Mr. Stevenson said. “When you say dog, they say cat. But when you say cybersecurity, they will say, ‘I’m sorry I clicked that email, please don’t send me to cybersecurity training.’ They’re terrified.”
Prizes for safety
Success is crucial, since many security experts say that the biggest threat companies face is from within, from careless employees. Despite years of employee training, an estimated 91% of cyberattacks begin with a “phishing” email, in which an employee clicks on an unsafe link, according to a December 2016 study released by PhishMe Inc., a company that protects against email fraud.
One of the biggest efforts to rethink training comes from Facebook Inc., which holds a “Hacktober” event every October to coincide with National Cybersecurity Awareness Month. In this monthlong program, Facebook tests employees by simulating a variety of phishing attacks, spam campaigns and other threats. Staffers who fend off the attacks are rewarded with memorabilia and other prizes. Betsy Bevilacqua, head of security programs and operations at Facebook, says the program has experienced “high engagement rates” and has been met with “a lot of positive feedback.”
Other companies take traditional training methods and make them more personal. Some, for instance, use a system where security teams identify executives who present especially valuable targets for hackers, then train the executives and their families at home. The personal setting helps to get the lessons across, says Lance Spitzner, a director at the SANS Institute, a security-training organization that has endorsed the idea and is developing its own approach. “It’s a more relaxed situation at home,” he says.
Some major companies—including the cloud-computing giant Salesforce.com Inc. and Adobe Systems Inc. —have adopted a method where security experts don’t do the training. Regular employees do.
In this setup, employees without a security background are trained in best practices. Then they get incentives to help their co-workers by conducting training sessions, organizing contests and approaching security in a way nontechnical employees can understand.
“It’s one thing to hear from the corporate security team, but another to hear about these things from your buddy,” says Julia Knecht, Security and Privacy Architecture at Adobe.
The employees who led training would get points “which could be turned in for airline miles, a parking spot, free clothing or something fun like a lock-picking class,” says Masha Sedova, the former senior director of trust engagement at Salesforce, who has since co-founded the training firm Elevate Security.
Slow to catch on
Positive-reinforcement campaigns are often one of the best ways to modify risky behavior, but they’re “definitely an outlier” in the corporate world, says Ms. Sedova. Companies typically rely on awareness tests and off-the-shelf tutorials, which security experts say are often useless because employees see them as a chore.
Other simple security measures are often ignored as well. In 2015, researchers at the Computing Technology Industry Association, a nonprofit trade group, dropped 200 USB sticks in airports and coffee shops around the country, only to find that a significant number of passersby—including several IT industry workers, cybersecurity experts and people who said they were aware the device may have been infected with malware—picked up the devices and plugged them into a computer.
On the other hand, evidence is piling up that games and other exercises using positive incentives do get the job done. That was the conclusion of a report issued in 2012 and delivered to the U.S. Department of Homeland Security by RTI International, a nonprofit research institution based in Research Triangle Park, N.C.
The report found that students changed their cybersecurity behavior after a phishing exercise that sent encouraging emails for correct behavior and reprimanding emails for incorrect behavior. “Feedback and behavioral reinforcement messaging in our experiments led to improvements in risky behavior on both phishing email and password use,” according to the study.
Another study by researchers at the University of Maryland, Baltimore County’s Cyber Defense Lab in 2014 found high-school students were easily able to learn about encryption, authentication and software updating through a multiplayer computer game called Security Empire. In the game, players are business owners who take financial hits and suffer production delays if they make security mistakes. Students compete against one another to create the most successful company, and the teacher is given a summary of who suffered from security lapses.
“Some of the gaming methodologies have been successful in high-tech industries where it becomes a competition between people,” says Mischel Kwon, chief executive of the security consulting firm MKA Cyber Inc. and former director for the U.S. Computer Emergency Readiness Team, a division of Homeland Security responsible for reducing cybersecurity threats and spreading awareness about best practices.