Yahoo studied employee responses to simulations to better understand how to make them take cybersecurity seriously. To make meaningful change, managers should take three key steps. First, they must identify critical employee behaviors. Second, managers must measure behaviors transparently. Finally, managers must use awareness to explain why something is important.
A Model of Proactive Engagement
In the summer of 2018, amid a reorganization of the larger security organization, the Paranoids brought together two disparate groups: the red team (a slick group of hackers that offensively tests internal systems, services, processes, and people to discover systemic weaknesses) and the company’s security awareness team. Later, the Paranoids added the behavioral engineering team, which focused on measuring the activities they’d deem as good security behaviors based on a mixture of HR data and enterprise technology logs. To better understand how employees responded to cybersecurity threats, the behavioral engineering team’s first distinguished between employee actions, habits, and behaviors. An action, they concluded, was something a person does to completion. For instance, Yahoo employees were required to take an annual security training course. The desired result, taking the class, is an action. A habit was a shortcut made for repeatable actions. Training employees, for instance, to rely on a password manager rather than manual password changes can lead to a formed habit. Finally, they defined behaviors as the combination of actions and habits within the context of a situation, environment, or stimulus. In the prior example, the desired security behavior is not simply to get employees to use a password manager. Instead, the goal was getting employees to generate and store credentials using a password manager whenever they were creating or updating accounts.
The Process of Changing Behavior
Attempting to change a behavior meant first identifying the specific context for a desired action. The Paranoids called this the creation of a behavioral goal. When creating a behavioral goal, the behavioral engineering team aimed to answer the question: “In which specific context do we want a specific cohort (or person) to do what specific action?” For example: “When generating a new single sign-on password, we want all employees to generate and store the password within our corporate approved password manager.” The team’s ability to define these goals was key to effectively measuring the direction of cybersecurity culture within the organization. As the behavioral engineering team studied and developed behavioral goals, a formula took shape.Read more about
Measuring Employee Behaviors
Over and over, in red team operations employees would fall for phishing emails that presented them with fake login pages, just like the one that duped then-DNC chairman John Podesta’s assistant into typing his password into a fake login page obscured by a shortened link in a malicious email. The team studied the problem and highlighted three key measures: Susceptibility Rate: the number of employees who entered credentials and did not report phishing emails divided by the total number of phishing simulation emails sent. Credential Capture Rate: the number of employees who entered credentials (and did not report the link to our defense team) divided by the number of employees who opened the phishing simulation and landed on the fake login page. Reporting Rate: the number of employees who reported the phishing simulation divided by the number of total simulation emails sent. With a behavioral goal and key measures defined, the team set out to implement new managerial mechanisms to diminish the rate at which employees gave up credentials. At the time, the phishing simulations were capturing nearly one out of every seven employees’ credentials at every test. One out of every 10 employees were accurately reporting the original simulation email as a potential phish. After looking at the data, the Proactive Engagement team decided to focus on stopping employees from entering their credentials on a phishing page. The solution was already in place. They wanted employees to use the password manager that had already been paid for and provided by the company. Because the password manager will only auto-fill passwords on sites it recognizes, not the fake ones meant to steal credentials, it took the guesswork out of the hands of the employees.
Choice Architecture, Incentives, Communication, and Gamification
By the middle of 2019, the team installed the corporate password manager as a domain detection tool in its corporate-managed browsers and it made using the tool the default option for all employees. The team also offered incentives for active corporate password manager usage. Employees who actively used the password manager received merchandise such as Paranoid-branded t-shirts, hoodies, and hats. They also created how-to videos and content to educate users on what to look for, how to identify suspicious emails, and what to do if they saw something suspicious. These communications were paired with emails that nudged those who were duped by phishing simulations to read additional education materials and directed them to the corporate password manager. The Proactive Engagement team measured progress by creating dashboards where managers could benchmark their corporate pillar’s performance against that of their peers. The dashboards were an important tool for managers because they created an environment of active and passive competition. The competition provided an incentive for employees to do better, and the dashboard allowed managers to see how their reports were doing. They also served as a bridge between the Proactive Engagement team and senior Yahoo leadership.
Actionable Recommendations for Managers
To make meaningful change, managers should take three key steps. First, they must identify critical employee behaviors. The biggest transformation the Paranoids undertook was organizational, not technological. They tested employees to better inform their strategy for changing cybersecurity culture. Only then did they develop and implement a plan. Second, managers must measure behaviors transparently. While the security team couldn’t make business decisions, business leaders could. To get them to do that, the Proactive Engagement team built dashboards that allowed managers to benchmark their direct reports’ behaviors against that of their peers’ corporate pillars.
Finally, managers must use awareness to explain why something is important. At no time did the Proactive Engagement team punish employees or mandate adoption of specific tools. Rather, they used their offensive testing capabilities to ground their advice in real-world attacks and then explained why those behaviors made sense for the business. By the second half of 2020, the rate at which Yahoo employees’ credentials were captured in phishing simulations had been cut in half. The number of accurately reported phishing attempts had doubled. And most importantly, the usage of the company’s corporate password manager, the centerpiece of the company’s cybersecurity culture, had tripled.
Note: This article have been indexed to our site. We do not claim ownership or copyright of any of the content above. To see the article at original source Click Here