Companies invest increasingly in awareness programs, but yet we still regularly face information security breaches due to banal mistakes, such as clicking on the wrong link, using weak passwords and answering a WhatsApp message that asks for our verification code. Why is this? How can we change this? And is it at all possible to change behavior through awareness training?
Experts have been warning that the majority of information security risks are due to human behavior and they keep emphasizing the importance of security education and security culture. But how can you ensure that security awareness training actually results in secure behavior?
The secret to effective security awareness training
Infosequre's mission is to help organizations educate employees and turn them into the first line of defense against cyber risks. Anna Macsai of the Security & Continuity Institute (SECO) interviewed Wilbert Pijnenburg, our security awareness expert, about what distinguishes our training method from others.
Wilbert: "What is special about Infosequre's training method is that we use behavioral theory to design training that leads to actual behavior change. The theory of planned behavior, that underpins our programs, states that 3 components determine human behavior:
- Personal attitude: what do I think the result of my behavior will be? And how do I evaluate that result?
- Social norm: what do people around me think and expect of me?
- Perceived control: how capable am I to behave in the expected way?
All 3 components are addressed in our security awareness programs." Watch the interview to see how we do this.
Subjects that are discussed in the interview
- Theory of planned behavior: how does Infosequre make sure all 3 behavioral components are addressed in security awareness programs?
- Behavior change in areas where there is no to little personal involvement: what can you do to protect information that is very important to the company, but not so much to the employee on a personal level?
- Interactive training: does gamification help to make employees aware of risks?
- Working from home: now that half of the world is teleworking and there’s no option to meet in the office do we lose the power of positive social norms that have been established in the office?
- Maintaining security awareness: awareness is a process and it’s never complete. It has to be maintained at all times. How should companies approach the problem of maintaining an awareness level without boring employees out?
