In 2000, it was predicted that semantic attacks that target humans and use the vulnerability in information processing capabilities of humans would be the primary attack vector of cybercriminals. It is a well-established fact that humans are the weakest link in the cybersecurity chain. In an organizational setting, this means employees are the prime target for a cyberattack. Evidence for this statement can be found in the 2017 Data Breach Investigations Report released by Verizon, which reports that in 2017, 34,075 security incidents occurred due to weak or stolen passwords. To mitigate the threat of semantic attack on its employees, an organization can adopt a strategy of increasing employee training programs and building an environment of higher awareness of information security threats among their employees.
International agencies such as the National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA) have adequately addressed the need for and importance of information security awareness training. NIST released SP 800-50, which provides guidance on developing, designing, implementing and maintaining an effective information security awareness program. The NIST publication includes information awareness development materials such as a needs assessment interview and questionnaire, training metrics, a training program template and awareness posters.
ENISA released The New Users Guide: How to Raise Information Security Awareness, which contains practical advice on increasing information security awareness among different entities, including small and medium-sized enterprises and individual users. Although these guidelines provide an in-depth understanding of how to develop a comprehensive information security awareness training program, the design approach prescribed for critical elements of awareness materials remains very traditional. ENISA’s guideline includes a separate section on developing an effective communication campaign planning process. Meanwhile, improvement of the human aspects related to cybersecurity have been generating more attention recently. In its recent report, ENISA stressed for the development of a cybersecurity culture in organizations. Cybersecurity culture aims to bring about changes to employees’ jobs, habits and conduct in daily business transactions for improved cybersecurity considerations. There exists an opportunity to bring in behavioral changes in employees for implementing a cybersecurity culture in organizations.
To drive the need for behavioral changes in employees, information security researchers and managers should consider looking at the latest developments in allied fields like psychology, behavior sciences, human factors and economics. Newer theories have emerged explaining human behavior and how it can be changed to obtain desired results. One such idea is nudge theory. In their seminal article, the nudge theory authors propose the philosophy of “libertarian paternalism,” which discusses how to introduce behavioral changes in people by altering the choice architectures. Over the years, many governments and organizations have used nudge theory to introduce behavior changes in their citizens and employees in different settings. There is scope for applying nudge theory in the information security field, particularly in developing information security awareness campaigns. The campaign materials used for information security awareness, such as posters or flyers, can be designed using nudge theory methods to make it more effective. This is worth considering, as a rethink on strategies for the design of information security awareness campaigns is the need of the hour.
Editor’s note: For further insights on this topic, read Sudeep Subramanian’s recent Journal article, “Nudging Our Way to Successful Information Security Awareness,” ISACA Journal, volume 1, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!