Beyond the Status Quo, Part 3: How to Reduce Human Risk by Changing Users’ Mindsets and Behaviors 

Share with your network!

This is the final installment in a blog series where we cover topics from our Wisdom 2023 sessions. In each blog, we have explored creative techniques for inspiring engagement in security awareness and building a strong security culture. In the first article, we covered how to personalize and invigorate your curriculum for your users using threat intelligence. Then, last week we learned about impactful ways to keep users and security practitioners engaged in continuous learning.

Security teams have long believed that people who take risky actions lack security awareness. So, when users fail trainings or phishing assessments, they assign them more trainings and assessments in the hopes that they will improve. But our recent survey found that the majority of users who took risky action in the past tend to bypass security guidelines on purpose. Given this finding, it would seem that more training alone will do little to help change user behavior. 

At our annual customer conference, 2023 Proofpoint Protect, our customer panelists delved deep into the top behaviors that increase risk for companies. They also discussed the reasons that training alone is not as effective as people expect it to be. And they shared various ways to motivate employees to prioritize security and take a holistic approach to reducing people risk. Let’s look at some of their key insights and advice. 

3 types of users represent the biggest risk 

People remain attackers’ primary target. Everyone could pose risk to a business, but some users tend to be a higher risk than others. Our panelists called out the following types of users who require extra attention or could use more help or communication: 

  • Click-happy users. Email remains the number one threat vector, and attackers rely heavily on social engineering tactics to target people. So, click-happy users can pose a higher risk to businesses even if they don’t have access to critical data or systems. 
  • Negligent users. These employees believe security has nothing to do with them. They see it as someone else’s job. And they don’t think they play a role in securing the business other than to complete mandatory training assigned to them. 
  • Frustrated users. These employees view security as a barrier. They overlook the importance of following security best practices and try to go around security controls to meet other objectives. 

Think outside the box to identify your people risk 

The most common ways to identify vulnerable users include conducting a phishing simulation and a knowledge assessment. Our customers told us they went beyond phishing tests and used threat intelligence to better identify risky users and quantify people risk.  

They talked about using Very Attacked People™ (VAPs) insights derived from the Proofpoint Aegis threat protection platform to uncover their most attacked users and top clickers. They also reviewed users who repeatedly failed phishing tests, and those who have business privileges to access sensitive data.   

Our panelists shared how they factored in the results from gamified training and survey tools to enrich the people risk score. Measuring employees’ attitudes toward security can help security teams get an idea of cultural shift.  

Nandita Bery, our panelist from Equinix, went above and beyond to connect with the security operations team to track user actions blocked by each security control and factor those security events into individuals’ risk scores. (There are tools in the market to generate user risk scores based on specific user behavior. Social media scraping tools and Proofpoint Nexus People Risk Explorer are examples.) 

The key is to think outside of the box because there are more effective and meaningful ways to identify and quantify people risk than tracking the training completion rate. 

Motivate employees by making security easy and personal 

“It’s easy for security people to forget that our colleagues have a day job that isn’t security. If security is perceived as a barrier to that, it’s going to be a challenge for everyone,” said Molly McLain Sterling, our panelist from Medtronic. 

So, how can security professionals motivate users to prioritize security instead of bypassing it? The answer is clear, and our panelists agreed: Businesses need to make security easy for employees. The panelists also shared these tips on how to keep users engaged and get their buy-in: 

  • Put security into a business context 

Jason Williams, our panelist from Aecon Group Inc., said, “It’s important to explain why to your user— why security matters to them and why it matters to the company.” Show people the consequences and the impact of neglecting security practices. Use real-world examples to help employees understand why they should care.  

  • Make it relevant  

Eighty-percent of security professionals have two hours or less in a year to make an impact on end users. To get people’s attention, security teams need to tailor training to individual roles and needs. Use targeted messaging for users in specific departments, too. 

  • Build trust with people 

While some companies still take a punitive approach with employees to stop unwanted behavior, we see more businesses moving toward rewarding positive behaviors. It’s essential to build trust with employees. When someone takes a risky action, listen to them and try to find out the underlying reason. Don’t just make an assumption. Scare tactics will push people away. And they will not help to get people invested in security in the long run. 

Use threat intel strategically  

To turn employees into a strong line of defense, security professionals need to empower them with the right tools and knowledge. They need to know about the latest attack tactics, and they need to know the threats that are trending. Using threat intel intelligently helps to actively engage employees in security issues and make them more resilient to the threats targeting them. 

As our panelists stated, it’s important to get specific about the risks your business faces. Knowing that specific groups must manage specific risks, security professionals should provide targeted messaging, training and assessment to those users.  

For example, consider training your human resources department on payroll redirect scams and training the finance department on supplier invoicing fraud. Focus on the threats that get through your security controls and prepare your employees to spot those potential threats. 

What’s next? 

In this blog series, we provided some key insights and recommendations shared by our customer panelists to help you to improve your security awareness program over time. Remember, driving behavior change and mitigating human risk is a journey. And that journey continues. Cybersecurity Awareness Month is almost over—but the effort to change unsafe behavior should go on. 

We aim to support your ongoing growth and success. As we head into the holiday season, we expect to see a surge in holiday scams, such as fake shipping notifications, unexpected order confirmation and more. In our upcoming webinar, “Use Caution with Cheer: ‘Tis the Season of Holiday Threats and Ways to Defend,” our experts will discuss the latest tactics used in seasonal scams and how you can prepare your employees to protect themselves. 

Meanwhile, check out our website to learn more about Proofpoint Security Awareness or download our e-book Beyond Awareness Training