Employee education strategies that work to change behavior

Employee education strategies that work to change behavior

When people make the decision to get in shape, they have to commit the time and energy to do so. Going to the gym once isn’t going to cut it. The same is true when it comes to changing the culture of an organization. In order to be effective in changing employee behavior, training needs to be on-going and relevant.

Technology is rapidly evolving. Increasingly, new solutions are able to better defend the enterprise against malicious actors from the inside and out, but tools alone cannot protect against cyberattacks.

Verizon’s 2019 Data Breach Investigations Report (DBIR) found that:

While hacking and malicious code may be the words that resonate most with people when the term “data breach” is used, there are other threat action categories that have been around much longer and are still ubiquitous. Social engineering, along with misuse, error, and physical, do not rely on the existence of cyberstuff.

In short, people matter. Employee education matters.

Taking a technological approach to securing the enterprise has started to unravel over the last decade, according to Lance Spitzner, director, research and community at SANS Institute. “The challenge we are facing is that we have always perceived cybersecurity as a technical problem. Bad guys are using technology to attack technology, so let’s focus on using technology to secure technology,” Spitzner said.

Increasingly, organizations have come to understand that we have to address the human problem also. The findings from this year’s DBIR are evidence that human behavior is a problem for enterprise security. According to the report:

  • 33 percent of data breaches included social attacks
  • 21 percent resulted from errors in casual events
  • 15 percent of breaches were caused because of misuse by authorized users
  • 32 percent of breaches involved phishing
  • 29 percent of breaches involved the use of stolen credentials

Calling all stakeholders

Some organizations are still implementing the antiquated annual computer-based-training and wondering why their security awareness program isn’t working. Despite the security team’s understanding that they must do more, creating an effective employee education program takes buy-in from a variety of different stakeholders, said Perry Carpenter, chief evangelist and strategy officer of KnowBe4 and author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors.

“If they are stuck in the once a year, they have to find a way to justify moving past that, so there is some selling they have to do to their executive team in order to get support for more frequent communications and more budget. It’s essentially the higher touch that they have to sell,” Carpenter said.

Even those organizations that don’t have the budget to use an outside vendor can find ways to create compelling content, which means that security teams are tasked with the burden of having to justify the need for more employee engagement.

One way to sell that need, according to Carpenter, is to leverage the psychological effect known as the decay of knowledge. “We go to something and two days later, we forget most of the content. The further away we get from it, the more irrelevant, disconnected, and invisible it becomes.”

Evidence shows that a greater frequency of security education is the first step toward creating a more engaging awareness program. “In all things that you do, you are either building strength or allowing atrophy,” Carpenter said.

Once you have the buy-in to be able to really grow the company’s security awareness program, you need to figure out how to connect with people. That’s why Carpenter is a fan of a marketing approach that uses several channels.

Given that some people learn best visually while others prefer in-person instruction, identifying which content forms are most engaging to different employees will inform the types of training needed for the program to succeed.

No more death by PowerPoint

The old computer-based training programs developed by auditors have done little to defend the enterprise against sophisticated phishing attacks. If you want people to care about security, you need to build a bridge between technology and people.

Sometimes, those who are highly technically skilled aren’t adept at communicating with people. “Traditionally, some of the biggest blockers to awareness programs were security people who believed if the content wasn’t technical that it wasn’t security,” Spitzner said.

Now, security professionals are starting to realize that employees respond differently to a variety of attack vectors, which is why Omer Taran, co-founder and CTO at CybeReady said that collecting and analyzing performance data in real time is crucial to building a better awareness education program.

“Specially designed ‘treatment plans’ should include an adjusted frequency, timely reminders, custom simulations, and training content that helps to reform this particularly susceptible group,” Taran said.

Empowering employees

In order for companies to stay a step ahead of cybercriminals, their employee education programs need to be engaging. That’s why building a security-aware culture is one of the most important steps the organization can take.

“Processes and policies are fine, but if you’re not winning hearts and minds and gaining buy-in from employees, it’s probably a non-starter. The bad guys don’t care how well-written your policies are, or even if you have any,” said Lisa Plaggemier, chief evangelist at Infosec.

It’s also important not to play the blame game. Rather, Plaggemier said, “empower employees with awareness campaigns and good quality training, delivered through a program that influences behavior.”

To make cybercrime and fraud protection key parts of your company culture, Plaggemier recommended that leaders and managers consider these tips:

  • Be an example. Leaders have the ability to shift attitudes, beliefs, and ultimately, employee behavior. If leaders are taking security shortcuts that put the company at risk, employees will not believe the company is serious about doing everything it can to keep a secure workplace.
  • Be clear. Where confusion can create a culture of reactive rather than proactive behaviors, clarity helps prioritize the work. Make it clear that protecting the business is a top priority by creating written policies and having clear processes and procedures in place.
  • Be repetitive. Repetition is key for instilling good security habits in your employees. Human beings create new habits over time by repeating their actions. Encourage employees to make those out-of-the-ordinary tasks, such as calling a vendor to confirm it’s really him asking you to change his “pay to” account, become routine.
  • Be positive. Fear, uncertainty, and doubt are not good motivators. Instead, use language that empowers your employees. Make people feel like they matter in the information you share with them so that they can be better, smarter, and more confident in their choices when faced with something potentially malicious.


Kacy Zurkus


Spirit junkie and literary enthusiast turned cyber-scribe.