When COVID-19 struck in 2020, cases of cybercrime such as phishing and ransomware surged exponentially around the globe. In fact, in March that year alone, email scams grew by a staggering 667%.
With cybercriminals exploiting our new-found reliance on online communications, as well as the need for a speedy acceleration to cloud hosting, organizations found themselves more vulnerable not only to security breaches and data loss, but to issues with compliance.
But as cyberthreats continue to grow at an astonishing rate, what should organizations be doing to protect their businesses from attack?
Employees are an organization’s greatest strength. But when it comes to cyberattacks, human error is estimated to be responsible for more than 90% of breaches. The last line of defense, properly trained employees are key to protecting organizations against these cyberthreats.
Many organizations have implemented security awareness training to train their employees on what to do—and what not to do—when they’re targeted, as well as foster a security-first mindset and organizational culture. But despite 98% of organizations currently offering security awareness training to their employees, businesses are still suffering from breaches. This begs the question: are organizations training their users in the most effective ways?
We spoke to Zachary Eikenberry, co-founder and CEO at Hook Security, to discuss these issues. A serial entrepreneur and a Philosophy graduate of Purdue University, Eikenberry’s passion for psychology, philosophy, and educational models has provided him a detailed insight into how organizations should be training their employees to achieve maximum effect.
Eikenberry and co-founder Adam Anderson founded Hook Security in 2018 on the premise of addressing key issues they saw within the awareness training space. Out of this idea and extensive market research came an innovative new approach to training and educating.
“We spent a year researching the market, and where we can make an impact,” Eikenberry tells us. “We ended up concluding that we actually needed to create a new market category and get training out of InfoSec and into its own space. We call this new space ‘Psychological Security’—or, ‘PsySec’.”
Our Primitive Brain
So, what differentiates PsySec from current InfoSec methods of training, and how can it more effectively speak to users in the right ways?
“Just like all the different muscles in your hand, you have different parts of your brain. And they react differently to threat and to punitive environments.”
Well, our brains are not just one brain—they are a collection of brains, Eikenberry tells us. “Just like all the different muscles in your hand, you have different parts of your brain. And they react differently to threat and to punitive environments.”
Threat recognition happens unconsciously—it happens before we can think about it. This is the “hesitation phenomenon”, and Hook Security has drawn on this in its approach to training users.
“Let’s say, you’re walking along a path and there’s a shadow that could be a snake—you will actually jump before you look at it,” Eikenberry explains. “And so, what you have is a phenomenon where your body reacts first, and then you look to see if it was a threat or not after. We’re trying to do the same thing when it comes to recognizing phishing attacks—to get you to hesitate before you take a second look at it.”
This is the premise of PsySec. It’s based on training users to consciously and subconsciously recognize manipulation and potential threats when they see them, and to hesitate before acting.
A method that isn’t effective at doing this, is simply telling people to hesitate. What needs to happen instead, is that training content must appeal to the primitive brain, or the “Amygalda/Lizard Brain”. This is the part of the brain in which emotions are associated with conditioned responses, and that Hook Security targets in its training. And there are two ways of targeting this.
“One way is horror, but that doesn’t produce long-term effects. Instead, what we use is humor. Humorous stories are things we repeat to others—and the more often you’re willing to share and repeat training, the more ingrained it becomes in your hesitation phenomenon.”
Key to users engaging with and retaining content is simply making it humorous and memorable enough for them to want to share and repeat it to their colleagues.
Another benefit to this is that, in being invited to do the training by a colleague or friend, users have a far larger retention rate for new information. Eikenberry estimates that when information is introduced by a superior and is described as compulsive, 70–80% of the information and its effectiveness is lost. “The only way to really address that is by peer-to-peer invitation,” Eikenberry adds.
But using humor and repetition is only partly how PsySec works. Another key aspect is positivity and creating psychologically safe workplace cultures and environments for employees.
Teaching, Not Tricking
“Our argument is that training has to be non-punitive,” Eikenberry explains.
Training shouldn’t be about tricking users when they don’t see it coming, or about punishing them when they make a mistake. This only serves to create a culture of distrust and fear, where employees are too afraid to speak up when they’ve clicked on the wrong thing, or simply need help. Users should feel guided and supported, and not as though they’re being unfairly tested and deceived.
“There is this idea that the bad guys out there don’t pull back punches so, when you run a simulation, you shouldn’t either. Well, there’s a number of issues with that,” Eikenberry says.
Eikenberry tells us of a recent example of a US hospital sending out simulated phishing emails to their staff that featured a gift card to thank them for working through COVID-19. This was the first phishing simulation these employees had ever received, and they weren’t warned about it beforehand. This not only deeply insulted employees, but they started a petition to prevent these types of phishing simulations from happening again, and have involved their lawyers in the remediation.
“The point is not to trick people; the point is to train people.”
“You should let people know. The point is not to trick people; the point is to train people,” Eikenberry says. “There’s going to be more and more lawsuits as people continue down this pathway of saying ‘Hey, we’re going to mimic what the bad guys do’, and completely disregard their company culture and the position they’re currently in.”
Instead, training in the long term should be about creating a culture where people enjoy the training, are voluntarily willing to do more, and are comfortable in knowing that their security teams and admins are focused on educating and not tricking them.
“I’ve been in the classroom a number of times, and most people are surprised to realize it’s okay to tell the students the test questions in advance,” Eikenberry tells us. “If your goal is to actually train somebody then you need to get them into the material and help them develop a passion over time. You can tell people what you’re trying to accomplish with them. Respect their agency, respect their person, invite them into the process, and stop telling them that they’re the weakest link.”
One Size Does Not Fit All
So, if PsySec is a combination of humor, repetition, and positivity, how does Hook Security then go about ensuring that the training is engaging and relevant for users, as well as tailored to their tastes and interests?
“Hook Security is here to solve the ‘one size fits all’ training problem,” Eikenberry tells us. “That gets away from batch processing, where you train everybody in the same department, on the same day, on the same content, in the same way, year after year. Instead, we individualize the training experience.
“Every training specialist has always tried to make training more engaging—that’s not anything new. What Hook Security attempts to do is more along the lines of the Netflix algorithm, where, based upon your psychographics—what you’re interested in, your opinions—we match you to a training experience. It’s like the Netflix queue that’s like ‘since you watched this, you might also like these other things’; think of it as that type of algorithm. That’s our secret sauce, the thing our solution works to provide.”
This combination of educational content and entertainment is what Eikenberry refers to as “edutainment”, and it’s designed to be memorable and shareable for users.
“What we’re trying to do is match you with training experiences that you would voluntarily enroll with. By building that trust over time, we’re creating an addictive element to it. Where people continually want to volunteer and enroll, that’s where the algorithm is aimed at.
“If you watch the US Office, this is like pretzel day—the day everyone lines up for and can’t wait to enjoy. That’s what you want out of your training experiences.”
To create this algorithm, the onboarding process uses a “psychographic survey”, or, a passive method where a user can watch a video for 15 seconds and then choose the next video they want to watch. If they do this for three or four minutes, the algorithm gains an idea of the types of content and videos they would like, and tailors its suggestions based on this baseline.
We should note, however, that Eikenberry also stated that this solution is still in development. “It’s going to be coming live in a true individualized fashion perhaps as late as Q1, 2022. But where we’re at right now, we’re optimistic for Q4 this year.”
Advice To Organizations
Eikenberry’s advice for organizations struggling to find an appropriate solution for their user training was to democratize the selection process.
“If it’s culturally important, you should invite everybody into the conversation at some level to participate in the selection of the training experience. Because if the organization realizes that everybody had input into the training, it creates a different level of ownership.”
Building that out that security-aware and positive organizational culture is crucial for the overall success of an awareness training campaign, Eikenberry says.
“Let’s say there’s a scam, and an employee is getting an anxious text or email from who they think is their manager asking for gift cards. And they have such a toxic culture that the person would rather buy the gift cards than pick up the phone and verify.
“I look forward to the time that the industry starts promoting ongoing cultural thermostats that say you need to be checking on the pulse of your company twice a month.”
“I look forward to the time that the industry starts promoting ongoing cultural thermostats that say you need to be checking on the pulse of your company twice a month. It doesn’t mean you train and test, but what it does mean is to check in to know where your company’s maturity level is.”
For small businesses, Eikenberry says we need to start making a case that you’re supporting the overall strength of the business over time and move away from scare stories.
“I think what could be done better is to not only connecting security awareness training to de-risking the business, but also how they can use it as a competitive edge to grow their revenues and build their team culture.
“It can translate into a competitive edge where you can say ‘we are a secure business; we make sure that when you do business with us, you’re not vulnerable as well’.”
Thanks to Zachary Eikenberry for participating in this interview. If you’d like to learn more about the Hook Security platform and how it works, visit their website here: https://hooksecurity.co