Staff Want A Nudge For Safety Coaching
Micro-learning thwarts sophisticated cyberattacks
Despite efforts to educate and train employees to identify cyberattacks, an all-too-familiar scenario is playing out in companies around the world. An accountant or executive with “purchasing power” receives an urgent email from the CEO asking for immediate payment to an outside partner. The email contains an attachment and a message emphasizing “Discretion”, “Confidentiality” and no verification of the request as payment must be made immediately. The stressed employee quickly pays the bill, continues with his normal working day, and is shocked to be made aware of the fraud as soon as the security team identifies him.
Cybersecurity is both a technological and a psychological challenge for businesses. Regardless of their technical experience, employees are often fooled by elaborate scams using various tricks and techniques that tap into their fears, hopes, and brain functions. Additionally, cyber criminals use information from major security breaches, including Equifax, to obtain personal information from employees in order to tailor their attacks. Corporate training and HR professionals must train employees to identify and remediate cyberattacks or the company risks losing money, intellectual property, sensitive information, or all three.
Employees need help overcoming their cognitive bias
Many companies offer security training as 2-4 sessions, either during the induction of a new employee or annually as a company-wide initiative. Unfortunately, due to the lack of engagement and the long form, many employees skip the lessons and hide valuable information that could help their employer avoid a million dollar data breach. The knowledge retention rate drops by more than 50% if the training lasts longer than two minutes. A new way must be forged.
Human prejudices are innate in our nature, but that doesn’t mean organizations can’t counter them. Corporate trainers and human resource professionals need to adopt new training methods that encourage conscientiousness and vigilance towards the psychological tricks in their inboxes. The work of the Nobel laureate behavioral economist Richard Thaler from the University of Chicago shows that decision architecture and human behavior can be influenced by “subtle impulses”. Based on indirect encouragement and empowerment, nudge theory offers curated choices that encourage people to make positive and helpful decisions despite their cognitive biases. Nudge theory values shorter, contextual micro-lessons over longer training. The methodology is now effectively used in cybersecurity training to combat behavioral biases and improve the ability of companies to defend themselves against tailored cyberattacks.
People learn and respond when they are reminded to behave safely in the moment. The best examples of this lesson in action are the password strength gauges used by most retail registration forms. The meter slowly builds up from red to green as users create passwords that meet security requirements such as lowercase, uppercase, and special characters. Tapping into people’s innate need to get things done has a positive impact on users’ online behavior.
Safety training requires group work
Employees across the organization need to understand the importance of their organization’s corporate security policies, understand why they are important, detect attacks in real time, and know what actions to take to remediate an attack.
These are the key features of an effective safety coaching program that uses nudge theory:
- Help your employees understand the importance of safety
- Assess employees’ security skills and tailor training to specific role requirements
- Create engaging, easily digestible educational content within the normal work flow of employees
- Flag user risky online behavior in real time
- Don’t overdo phishing and cyberattack simulations
- Make training an ongoing practice
- Praise employees for positive behavior rather than publicly punishing them for negative ones
- Ask for feedback from employees
- Measure employee progress
A key factor in an effective safety coaching program is micro-learning. To better deliver safety training, the content needs to be engaging, relevant, and frequent. A Cornell study showed that people are more motivated and more likely to adopt new behavior when given small tasks and immediate small rewards. This feedback is particularly effective for cybersecurity training.
Conclusion
Security leaders need to prioritize people as they are the first line of defense for business cybersecurity. Using contextual nudges to remind employees of their education is a helpful tool in the fight against sophisticated phishing and social engineering techniques that exploit employees’ normal brain functions against them. CISOs essentially need to de-educate their users and make them more aware of their online behavior. Personalized coaching based on real scenarios improves loyalty, engagement and has a positive effect on user behavior.
