It was only a few years ago when many viewed cybersecurity as a compliance-based checkbox exercise. Thankfully, cybersecurity has since matured into a threat- and risk-based collaborative process that is ongoing for many organizations.

Unfortunately, a major piece of this cultural shift, the very cybersecurity culture of the organization, hasn’t always followed suit. Consider how many organizations you have been a part of, participated in, or heard about where cybersecurity was the focal point for their technical operations team yet individuals within the organization were blamed when policies and procedures weren’t followed. How many times have you heard the term “the problem exists between computer and chair” or something along those lines?

Changing the culture of an organization isn’t easy. In fact, I would argue it’s the one aspect of  cybersecurity awareness that is the most difficult to achieve. You can’t simply force a new solution or provide a team with training – it goes far beyond that. It takes dedication, understanding of motivations, identification of behaviors that need changing, and – above all else – a willingness to participate. Within this article, we will begin exploring these ideas that are necessary to change an organization’s culture. We’ll do so knowing that a holistic understanding of your people is required if you wish to successfully shift the very nature of the corporate philosophy.

What is the current state of cybersecurity culture?

Some may argue that an organization which claims to have never been hacked has a great culture.  The same folks would likely say that a company that has fallen victim to a public breach has a poor cybersecurity culture. I’d argue that it’s not that easy. Consider the first organization. What if they have been breached but simply don’t know it? As for the other firm, what if this latest incident was a precursor to launching a massive remediation program that moves the company into a far more secure state?

From an outside point of view, it is next to impossible to understand an organization’s security culture. This is because the people make up the culture, and, in order to approach this seismic shift, you must first obtain a complete understanding of their perceptions of security.

This leads us to define security culture within an organizational context:

The fundamental understanding of what cybersecurity includes, the roles and responsibilities necessary for a strong security culture, and the security posture of the organization itself.

Looking at one example, I spoke with individuals that said, “I don’t need to worry too much at work on what I open or click because they have controls to protect me.” They truly believed that while at the office, they could click on any link, open any attachment, and the security controls in place would protect them 100% of the time. Speaking from my experience as a security professional, there’s no truth to this perspective. The reality is that each and every individual within an organization plays an important part in enhancing the cybersecurity defense team, regardless of the security measures an organization uses to mitigate risk

Addressing the misconceptions

In regard to the above misunderstanding, we need to look at the internal messaging that is coming across to our employees and ensure those words provide an accurate view of an employee’s role as it pertains to security. At times, a focus on “how” something comes across to non-technical persons is needed to truly understand where an organization stands. Often, this is achieved with the help of a designated group within each department. These individuals are typically referred to as business or cybersecurity champions.

Addressing the cultural gaps

Once a holistic view of the culture is acquired, you can begin identifying the specific behaviors that need to be addressed. This can be accomplished by knowing which threats are likely targeting the organization, such as CFO fraud or phishing attacks. In order to target these gaps, you must identify the specific behavior you wish to address. Using CFO fraud as an example, let’s examine further.

Targeting CFO fraud

Below are example sessions on targeting CFO fraud that’s perpetrated through email. Each session looks at a different aspect to demystify actors and their motivations and explore ways to protect against this threat. Please note that this is not a complete list of approaches.

  • Session 1 – Demystifying Hackers: Hold a session to introduce what a “hacker” is, including white hat, grey hat, and black hat hackers. Discuss and demonstrate the different motivations of each group and assess the potential risks associated with these types of hackers.
  • Session 2 – Understanding Social Engineering: Take a deeper look at the different types of hackers, their motivations, and how participants can build storylines to convince others to take certain actions. They can specifically focus on campaigns for winning prizes, sales campaigns that specify “last chance” or “clearance” events, notifications from schools regarding events, and even bank calls that require identification from the receiver.
  • Session 3 – Building a Phishing Campaign: Understand how to carry out a phishing campaign and use tools like the Social Engineering Toolkit or PowerShell Empire. This can be done in conjunction with the previous session’s storylines, and the phishing attempts can be sent among participants within a controlled lab or test environment.
  • Session 4 – Protection against attacks: Take a full circle approach and tailor to your environment. Even in a lab scenario, this session can highlight the need for participants to proactively engage in attacks prior to taking action. With the example of a malicious link, discuss the technical controls that could stop the attack. Allow the participants to vote on if the link was believed to be malicious or not and provide a demonstration of what happens if it were. This session can also be used to train participants on how to draft an email that doesn’t appear to be suspicious, which often happens without realization.
  • Session 5 – Phishing and Vishing used in CFO fraud: All previous sessions were used to build the foundational knowledge of motivations, methods, and types of attacks. This session goes into further depth of a specific situation. The benefit is that everyone already has a baseline of knowledge, so they will be more willing and able to participate even if it might be a situation they’re less likely to find themselves in. Even so, it’s important to keep it applicable to everyone by using examples of authorities like a bank or vendor.
  • Internal Marketing: Throughout these sessions, the marketing team can build posters and highlight habits taught within the session to reinforce that behavior. Consider notices that highlight the difference between “influence” and “manipulation” in regard to causing someone to take action. You can also have a poster that focuses on the three “R’s” of malicious actors: ruins, riches, and reputation. I have found this framing to be a great way to describe a malicious actor’s motivations.
  • Security controls: While teaching employees ways to spot and protect against a threat can prove beneficial, it remains imperative that the organization employ technical controls to assist in this effort as well. When trying to catch a malicious email, for example, you should disable macros or reduce to only trusted sources, block known malicious domains, and block emails that are sent multiple times to the same person. All of these functions are achievable by an email filter. You can also set firewall rules to disable unusual activities, which does require an existing baseline knowledge of the organisation.
  • Additional Resources: Within the organization, you can host reporting buttons for phishing and/or post FAQs to aid in the identification of phishing attempts and help employees understand what actions to take if a phishing email or fraud attempt is received at home.

Motivations of participants

Traditionally, organizations focused on external or extrinsic motivations to entice persons to alter their working habits and change the company culture. This may take the form of chastisement for failing to complete your timesheet within the prescribed time frame or facing punishment for accidentally clicking a phishing email.  Conversely, it could be a reward received if a desired action was taken – e.g. if you received recognition for reporting that phishing email to your management instead of clicking the link.   What social science tells us is that this is actually the best way to violate your original goal, since the motivation isn’t within the action taken; it’s in the response to said action. Ultimately, when the reward goes away, so too does the action.

There is a time and place for external motivators, such as when short term engagement is desired, when a new solution is launched, or when you’re looking for volunteers to join a testing team. While this method isn’t necessarily a “bad” way of motivating, it needs to be understood that unless followed up with a desire to make these changes, the engagement ends when the rewards do.

Identifying participants and the overall culture of the organization’s internal motivations, known as intrinsic motivation, can enhance the program with long term engagement and lead to noticeable change in problem behaviors. By looking at the individuals and why they’re motivated to take a different action, you can effectively build that cultural change. Granted, it isn’t an easy or quick solution, but it can get you where you need to be.

The article “Extrinsic Motivation Works (Until It Doesn’t): How To Cultivate Intrinsic Motivation” discusses motivating students for long term engagement. It rejects the use of quick and easy solutions like bribery, rewards, and threats. What stands out to me is that instead of approaching awareness training like a teacher, encouraging and motivating our employees to want to learn and feel safe to make mistakes in doing so, we often think, “it’s their job” and they should simply get it done. In fact, cybersecurity is a completely different skill set from their daily job, and creating a safe environment that examines individuals’ needs and wants in an effort to encourage participation is actually the approach that should be taken.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of ITEGRITI, Inc.