How To Influence Human Behavior To Reduce Cyber Risk
Stephen Burke, Product Director at SafeTitan, discusses how organizations can not only deliver security awareness training, but also measure its effectiveness.
Security awareness training (SAT) is the process of teaching users how to identify cybersecurity and data protection risks, as well as the best practices they should follow to help reduce those risks. SAT platforms usually require users to take training courses comprising videos, presentations, games and quizzes, and often offer a library of supplementary multi-media materials, such as infographics and articles, to help explain key concepts in more detail. Users are then assessed on what they’ve learned, either through more comprehensive quizzes or simulated attacks.
Unfortunately, despite security awareness training being a critical element of any strong security architecture, many organizations only view it as a “tick-box” exercise to prove compliance with federal and industry data protection standards. In fact, almost 1 in 5 organizations only provide security awareness training to their employees once a year—which makes it highly unlikely that those employees will actually retain any of the information they’re given, let alone be able to apply it in real life situations.
To find out how organizations can make sure they’re delivering effective security awareness training that will help reduce cyber risk, we spoke to Stephen Burke, CEO and founder of Cyber Risk Aware and Product Director at SafeTitan. Burke has over 30 years of experience in the IT space, working in COBOL development, database administration, Unix administration, auditing and ethical hacking before achieving an MA in cybersecurity and going on to become a CISO. This wealth and breadth of experience has given Burke a deep understanding of the security issues that organizations face at every level, as well as the challenges that come with addressing those security issues.
As a result of this, Burke left his CISO role in 2016 to found Cyber Risk Aware, a security awareness training company. Earlier this year, Cyber Risk Aware was acquired by TitanHQ and the platform is currently being rebranded as SafeTitan, with Burke continuing to work as Product Director.
What made you want to start up a security awareness training platform, and why is it important for organizations to implement a human-centric solution—such as security awareness training?
As a CISO, whenever I was aligning my security architecture with my limited time, limited people and limited money, I spent my resources on the most prioritized risks. That ultimately meant implementing a lot of technical solutions across the network to give me visibility of network traffic and help us improve our incident response. We had endpoint protection, intrusion detection, log aggregation—but having invested in all those areas, I found that it was the actions of people that were causing my incidents.
And these people were highly professional and had the experience to understand risk.
So, I had the realization that I could keep spending money on tech ‘til I was blue in the face, but the action of one staff member could undermine all of that. And that really was the catalyst for trying to find a way of doing things differently.
Security awareness training had been a tick box compliance exercise until then, and so many companies are still doing that today. But I said, “You know what, we need to do something different here. It has to be small and often, it has to be much timelier, and we have to send the message to people in the right context.”
So, that was the vision that I had: to deliver the right message to the right user at the right time, to help create a network of human sensors that collectively would be able to protect the corporate network. Technical protection still has a place, and you do need to have it, but it’s not the be-all and end-all.
But the messaging around the training is also important. IT teams have to explain that everyone has a role to play as part of the security team; everyone has responsibilities and obligations as part of the company to protect the company because, if the company gets hit by a cyber-attack, it could go out of business and that would affect everyone. We’re all in this together.
Security people often say that people are the weakest link. But that’s wrong. People are security assets if we help them in the right way.
Who are SafeTitan’s typical customer base, and what are the main challenges you’re helping them solve today?
People cyber risk affects every company in every sector around the whole world. But there are sectors like financial services, law firms and retail and manufacturing, which have higher regulatory requirements. And a huge driver now is that companies have to be doing security awareness training in order to get cyber insurance, or they’re provided security awareness training by a local provider through their policy. And if they don’t use this, their premium either goes up or their policy isn’t renewed.
Outside of that, we have three different types of customers: MSPs, SMBs and mid- to large enterprises. The MSP is saying, “I’ve got all these SMB customers that have outsourced their security to me. I need to be able to offer security awareness training because everyone needs it to stop incidents from happening.” TitanHQ have an MSP-first strategy, so we work really well with these organizations.
Then we have small and medium businesses that want to offer training to their staff and maybe run phishing simulations. And this is either to get cyber insurance or to reduce the risk.
Then we have the mid- to large enterprises, and there are more mature organizations in that space. And what I mean by that is, they’re probably already doing scheduled phishing simulations and security awareness training. But now they don’t want to just send scheduled training, they want to send realistic phishing scenarios to identify each user’s susceptibility to phishing emails, so they know who to send training to, rather than sending it to everybody. This helps reduce the cost to that company.
They also want to know how effective their security awareness training program is.
How do you measure how effective a training program is?
When I say “effective”, we’re trying to measure the influence on positive behavior change to decrease risk. That’s what security awareness is all about. It’s not about just saying, “I’m doing training or phishing simulations.” It’s asking whether we’ve influenced behavior change to reduce risk.
A lot of people think this means looking at training completion rates, which tell you how many people have taken the training you’ve assigned. But does that tell you how effective that training has been? No! I call that “spray and pray”—sending training and hoping some of it sticks. But that doesn’t give you the data that shows the training to be effective.
That’s why SafeTitan is different. You’re monitoring your devices and generating security alerts when you see certain things happening, or your staff doing stuff they shouldn’t be. Our platform uses those alerts to trigger training content, so that the context in which you send the content is always relevant.
This is more cost-effective, it’s stickier, and it gives us the data to measure the effectiveness of the training. Every time an alert is triggered and comes into us, we map that alert or behavior in our database. This allows us to see the frequency of that behavior and monitor how it changes over time. You can measure this by user, by department, by country, by office, by business unit, and by organization.
And the beautiful side of it is, unlike most enterprise-grade software, it doesn’t just give mid- to large enterprises the ability to demonstrate how effective their training is. MSPs can also offer this technology to their SMB clients, who maybe don’t initially know to seek that information.
One of the key features of your solution is phishing simulation, which is a contentious topic amongst IT professionals and end users. How can organizations ensure that simulations are effective, rather than viewed as a means of punishment that causes distrust towards security teams?
What really irritates me as a CISO is when I hear about simulations being implemented with a consequential model, i.e., “I’m going to run phishing simulations and after three strikes I’m going to sack somebody.”
Let’s come back to what I said at the start. You need to bring all your staff on a journey so the business is successful. A CISO who is potentially going to sack a person when they fail a phishing simulation is going to create friction in their organization, and the culture in that organization is going to become toxic. So, we need to take a step back and call that out as being absolutely irresponsible.
Our job as security professionals is to raise awareness, to help people, and guide people. Phishing simulations are only ever to be used to help people. Now, how can you help people with phishing simulation tests?
Well, the senior management team must explain that, as part of the company’s security awareness training program, they’re going to run phishing simulations—some of which will be easy to spot and some that’ll be difficult to spot. And that the whole goal is just to highlight to staff what a real attack may look like, so they know to report anything suspicious so it can be analyzed and responded to properly.
They need to say, “I’m trying to help you, so you can help us as a company avoid becoming a victim of cybercrime.”
They also need to explain that they’re not going to do naming and shaming. That’s the kicker: “We are not going to name and shame you, it’s not going to go on a leaderboard, and you’re not going to lose your job.”
And what if someone is tricked by a simulation? Well, they get a message that says, “This was a company-sanctioned phishing email, please don’t worry. All we’re trying to do is teach you that if you ever see something like this, report it to us using a reporting button, or let us know by calling your line manager, and then we will respond to it.”
That’s really how it’s supposed to be.
You say that leaderboards aren’t the best way of encouraging employees to engage with training—yet a lot of SAT platforms use these as a form of gamification, to encourage competition. What are some of the problems with using a leaderboard, and what alternatives would you suggest?
Every organization has different types of people: extroverts and introverts, for example, as well as people who are neurodivergent, people who just prefer quiet, and many others. And not everyone in the room is going to be happy if their name is up there as being on the lower side. You’re calling people out, and I just don’t think that’s healthy.
There’s more to lose than there is to gain from this type of gamification. Some people might love it, but others won’t want their name up there.
So, on our platform, we have a gamified “human firewall” award for each individual user. They don’t have to look at it if they don’t want to, however, the goal of that is that the user can aspire to get a higher personal rating. Rather than being a novice, maybe they want to be an expert. It could become an annual goal that’s discussed between the manager and that user, to help them become more aware at home as well as in the workplace. But it’s all down to the individual’s aspirations, and only the individual can see their own score.
As well as for security purposes, many organizations implement security awareness training to help educate their employees on other topics, such as data protection standards. How does SafeTitan help organizations do this?
Our job as content providers is to have the content on those subject matters. We have a PCI-DSS course, we have HIPAA, GDPR, Kenyan data protection, we’ve got the POPI Act—if a client needs to send to their users, we have it on the platform. That’s our job.
We also offer the ability for companies to upload their own content onto our platform. One of the key features of that is policies. Every year, users click that they’ve read and accepted their company’s policies. So, then there’s an assumption that they know absolutely everything in those policies. But the reality is, everyone in security knows that you don’t know what’s in that policy. The documents are too long and they’re too complicated.
So, we need to break policies down into bite-sized chunks. By doing this, you can raise awareness of policies and also let users know that there’s an update to a policy. Our platform enables policies and snippets of policies to be displayed to users either according to a schedule, or in real-time based on security alerts called “incident awareness moments” or real-time “nudges”.
So, if I saw you downloading free software, I could send a message in real-time that said, “Dear Caitlin, we’ve seen you tried to download free software. Company policy states that you must always install software through IT, so we can get you a clean, licensed version that’s approved. Otherwise, you could cause ransomware.” And you might say, “Oh my gosh, I didn’t realize, I was only trying to do my job! I had no idea we had that policy, or that I was taking a risk!”
Having these nudges is like having a cyber guardian angel on someone’s shoulder, literally guiding someone in their moment of need. Because nobody wants to be the person that causes an incident.
What would your final piece of advice be to organizations struggling to secure themselves against today’s email threats?
Don’t lure yourself into thinking that you are actually changing behavior just because you’re doing scheduled phishing simulations and scheduled training. They’re just an action you’ve taken, and you have statistics to say you’ve done it.
You must be able to assess gaps in knowledge and make sure that any training you send is confirmed as having been absorbed by that staff member. Use quizzes to do that.
But at the same time, the cost of delivering training to businesses is growing because it’s not just security awareness training—it’s also policy and compliance training. But you can reduce those costs by training in real time, off the back of the other security investments you’ve made—the visibility of the network traffic and the actions of staff. Use that to maximize the return on that investment.
This also lets you send those bite-sized notices to staff, which are going to show that you’ve actually changed behavior, and not just sent out content and you’re now praying that it’s been retained.
Mid-to large enterprises have the sophistication of insight to achieve that themselves, because they’ll have bought those products. And those smaller companies that don’t have those technical products can outsource it to MSPs and other partners, but they should be telling them they don’t just want phishing statistics and training completion statistics. They need to say they want the data that shows they’ve had an effective program by influencing and changing behavior that reduces human cyber risk.
Thank you to Stephen Burke for taking part in this interview. You can find out more about the SafeTitan security awareness training platform via the TitanHQ website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.