Explore the intersection of information security and behavioural science - and the benefits of measuring behavioral change.
No time to read? Listen instead:
Cyber security insiders are well-acquainted with a sobering reality: Technological defenses alone are no longer enough to protect organizations from the multifaceted cyberattacks we see today. The crafty manipulations of social engineering attacks have emerged as cybercriminals’ weapon of choice, demonstrating an alarming effectiveness that is hard to overlook.
According to Verizon’s latest Data Breach Investigations Report, a staggering 74% of all data breaches are attributed to the human element, which includes social engineering attacks, errors, or misuse of tools. This figure presents a challenge for cyber security professionals and companies worldwide. IBM’s research parallels these findings, listing credential theft and phishing – both heavily reliant on exploiting human vulnerabilities – as the top two attack vectors. This reaffirms the inescapable truth that the human factor is a cyber battleground in dire need of strengthened defenses.
Exploiting the human factor: Real-life examples of social engineering attacks
The evolving threat landscape has led to significant and costly repercussions for organizations worldwide, including industry titans like Twilio, Cisco, and Uber. These entities have been caught by the cunning traps of social engineering attacks, illustrating the immediate risks inherent in these strategies.
The social engineering attack on global transport services giant Uber in September 2022 is a chilling example. An alleged teenage hacker bypassed a frail MFA process using a man-in-the-middle strategy. This intrusion granted the perpetrator access to Uber’s sensitive internal infrastructure.
Yet, amid this grim reality, a beacon of hope emerges. The human element, when adequately informed and vigilant, can serve as robust protection against such cyberattacks. The Reddit incident in early 2023 underscores this: Following a sophisticated phishing attack that triggered a data breach, an alert employee immediately notified the internal security team. This swift reaction confined the cybercriminal’s access, forestalling further harm. Without this immediate action, the repercussions could have been significantly more severe.
The call for modern, effective security awareness training programs
This exponential increase in sophisticated cyberattacks has emphasized the crucial necessity for fostering a robust security culture within organizations. And central to this culture is implementing cyber security awareness training, which empowers employees to identify threats, respond appropriately, and prevent their inadvertent contribution to security breaches.
However, even if security awareness has long been a component of security strategies across companies of various sizes and industries, it’s now undergoing a fundamental shift. Traditional training models, which largely focus on fulfilling regulatory requirements and offer static content libraries, are proving ineffectual against the new-age threats that come with the professionalized cybercrime industry.
This means that the focus must shift from compliance-centric measures to initiatives that effectively cultivate secure habits among employees, enabling them to operate securely in their day-to-day work lives. By integrating principles from behavioral science into security awareness programs, companies can transition from isolated measures to continuous security culture management, providing robust protection against social engineering.
Harnessing behavioral science: 5 key advantages for cyber security awareness training
Given the transformative potential of this integration, we compiled a list that outlines all the benefits and impacts of applying behavioral science to cyber security awareness training:
1. It boosts engagement
Understanding and influencing human behavior in cyber security can significantly boost employee motivation, driving engagement in security training programs. A powerful tool in any behavioral science toolkit is gamification. By transforming traditional sessions into interactive experiences, learning becomes not just informative but also enjoyable and engaging. As reflected in a survey by Talent LMS, over 80% of respondents felt that gamification enhanced their learning and fostered a stronger connection to the content.
Another behavioral science principle that can improve employee engagement is nudging. As mentioned in our Human Risk Review 2022: “Nudging continuously increases engagement by 30% and even up to 90% in the introductory phase.” Nudging in the form of regular automated system emails nurtures interactions with users and keeps awareness in the front of their minds. Nudges can take the form of encouragements, reminders, and progress updates, among others, to ensure users are consistent with their awareness training.
Together, gamification and nudging demonstrate the profound impact behavioral science can have on security training programs. By enhancing engagement and fostering an interactive learning environment, these techniques can turn cyber security awareness from a mere checkbox exercise to a dynamic and human-centric process.
2. It increases security knowledge adoption and retention
Behavioral science-based methods like nudging play a critical role not just in engagement but also in enhancing learning adoption and retention. Traditionally, knowledge was imparted linearly, often delivered in large intense sessions. However, the ineffectiveness of lengthy workshops and monotonous learning sessions has become increasingly evident. They feel outdated and fail to deliver training’s core promise: fostering lasting knowledge.
This challenge stems from the natural tendency of knowledge retention to decline exponentially over time. Ebbinghaus’s Forgetting Curve suggests learners might forget up to 90% of what they learn within a week after training. This rate of information loss intensifies when learners deviate from their learning patterns and frequencies.
However, strategic approaches exist that can enhance information recall and reinforce training efforts. Spaced training, consistently delivered in nudges via diverse channels, allows learners to revisit and reinforce what they’ve learned. Coupled with interactive and motivating elements like quizzes, this strategy effectively combats the forgetting curve.
Incidental learning is another element in behavioral-based security training that shares similarities with nudging as it supports learning in real-life scenarios. In a world saturated with information and where time is often scarce, delivering bite-sized learning modules at critical moments is key. A learning page appearing after clicking on a phishing simulation email is a perfect example. These brief five-minute snippets of security awareness training seamlessly integrate into a busy workday, facilitating continuous learning without overwhelming the learner.
3. It empowers employees to recognize and thwart potential attacks
A crucial aspect of fostering a robust security culture is enabling employees to play an active role in identifying and mitigating threats. For this to happen, organizations must establish an environment that nurtures secure behavior and embeds tools that empower employees to take an assertive stand against cyber threats. This is easier with a behavioral science-based awareness platform that integrates specific features to make it simpler to spot and report suspicious digital activity. For example, employees who have access to the SoSafe Phishing Report Button show a 30% lower interaction rate with phishing emails as compared to those who do not have this functionality.
Such tools serve a dual purpose: They equip employees with the skills to identify and counteract cyber threats and allow individuals to visualize the direct impact of their actions on their organization’s security well-being. This tangible feedback reinforces their commitment to their training and strengthens their resolve to maintain a secure environment. As a result, employees evolve from passive participants to active defenders in their organization’s cyber security landscape.
4. It enables measurable and meaningful results
Understanding the behavior of both attackers and users, and how successful certain measures are in changing user behavior, allows organizations to anticipate attacks and neutralize them early on. Clear and meaningful metrics based on behavioral science, which we call behavioral metrics, help decision-makers understand how employees react to different threats and determine whether a specific type of training works for them.
Behavioral metrics enable organizations to perpetually modify their awareness initiatives based on these findings. For example, if a particular team displays lower phishing reporting rates than their counterparts, tailored e-learning nudges may be the catalyst needed to improve their ability to identify and report suspicious emails. These metrics offer a powerful view of the cultural impact that awareness programs have on an organization’s overall security posture.
Invaluable tools in engaging all stakeholders, from C-level executives to employees, these metrics provide tangible evidence of the effectiveness of awareness initiatives. Examples of behavioral metrics include phishing reporting rates using integrated reporting tools, the number of data assets correctly tagged with confidentiality statuses on the company intranet, the impact of gamification on e-learning completion rates, variance in click rates depending on the psychological tactics used, and time-to-report metrics.
With such metrics, organizations can proactively and measurably strengthen their cyber security culture, ensuring a more robust defense against potential threats. To learn more about behavioral metrics, download our Behavioral Security report.
Behavioral Security
5. It fosters real behavioral change
In the foundation of every robust security culture lies behavior – the everyday habits and routines that employees adopt. From securing the screen when stepping away from the desk and scrutinizing emails for potential threats to promptly informing the IT department about possible risks, every action plays a significant role in protecting the organization.
By employing behavioral science in security awareness training, we can shape these daily digital routines more effectively. It ensures that employees become aware of information security and feel motivated to adopt secure behaviors in their work environment and private lives. This motivation is strengthened when employees are equipped with the right tools, supportive context, and a sense of ownership over their organization’s security.
The positive impact of spaced learning on knowledge retention, the role of motivation in boosting engagement rates, and the empowering effects of a supportive learning environment on phishing reporting rates all showcase the value of a holistic approach to security culture. This genuine behavioral change is what organizations should strive for in their quest to foster a robust security culture.
How SoSafe applies behavioral science to boost cyber security awareness
At SoSafe, we integrate behavioral science into our every move. Our cyber security learning platform doesn’t just teach employees about cyber security – it immerses them in it. Through gamified experiences, we captivate our learners, turning the process of spotting and neutralizing social engineering attacks into an engaging journey. We also make learning as concise and efficient as possible. Nobody wants to go through the same learning lessons multiple times if they have already learned the content, which is why our e-learning allows for personalization of learning paths to save time and allow your teams to focus on their daily tasks
The authenticity of our real-life personalized phishing simulations amplifies this learning journey. These simulations, which can be precisely tailored to the employee’s role or behavior, combined with continuous learning, engrave secure habits in employees’ day-to-day activities. As these habits form, the risk to the organization decreases, and response times to incidents improve.
Security leaders also know that informed decisions drive robust security. SoSafe’s Human Risk OS provides a holistic view of your security culture by including real-time risk detection, behavioral insights, data from firsts and third-party integrations and suggested targeted interventions.
SoSafe’s platform is not only an awareness tool but a complete package of security culture management, geared toward minimizing human risks and creating a strong, proactive security culture.