Cybersecurity culture is nearly impossible to quantify due to an absence of measurement tools. Many businesses attempt to quantify the human element of their security posture by sending employees simulated attacks to demonstrate how susceptible workers are to phishing, social engineering, spoofing, and other types of hacks. The flawed logic security leaders use to justify these tactics is that simulations help identify high-risk users and secure budget for additional budget. However, the negatives may outweigh the benefits as simulations embarrass workers and position security teams as antagonists rather than allies.
Embarrassment rarely accomplishes anything positive, and from a security awareness training perspective, has been thoroughly discredited.
SecurityAdvisor defines cybersecurity culture as the collective cybersecurity behavior of an organization’s employees. Traditionally, culture refers to societies’ social and behavioral norms often related to knowledge, beliefs, arts, laws, customs, capabilities, and habits. A cultural norm serves as a guideline for behavior, which serves as a template for expectations within a social group.
The term shame culture was popularized in anthropologist Ruth Benedict’s seminal book, The Chrysanthemum and the Sword. Benedict analyzed Japanese culture in early World War II based on newspaper clippings, articles, and other written cultural artifacts. Many of the book’s observations were later debunked, but the concept of guilt culture and shame culture remain relevant to this day. She described guilt culture as a cultural phenomenon where individuals know whether they are good or bad through their conscience. In a shame culture, individuals’ worth is determined by what their community says it is. In a guilt culture, people sometimes feel they do bad things; in a shame culture, social exclusion makes people think they are wrong.
Phishing simulations and other ‘Gotcha!’ security training attacks are an example of shame culture. Experience has taught us that attacking our employees doesn’t increase cyber-resilience as much as it positions the internal IT teams negatively in the eyes of the organization’s employees, making it more challenging to get people on board with strategic initiatives. If anything, these boring training sessions make employees less likely to view the IT team as a force for good within the enterprise. The best security leaders implement tactics and technologies that create a frictionless experience for employees.
Rather than trying to shame and then coach employees, IT and security leaders should create a frictionless security strategy intended to support workers during their greatest time of need. “Cookie-cutter” approaches to security training don’t work over a long period of time. This approach often does not target at-risk users when a potential attack is in progress or is executed with enough frequency to remain top of mind for employees.
SecurityAdvisor’s patented platform was built to provide employees with personalized coaching during “teachable moments.” The platform seamlessly integrates with leading security offerings from CrowdStrike, Netskope, Palo Alto Networks, SentinelOne, Sophos, and many more to incorporate end-user security coaching directly within existing workflows. Security teams can instantly engage with at-risk users and coach them on the risks they face by leveraging pre-determined security content.
Security professionals that adhere to the Golden Rule will find their employees are more open to complying with security policies than those who shame them. It’s simple psychology. SecurityAdvisor provides workers with constant reminders to apply their knowledge and also acts as a safety net if they falter. If you’re looking to improve your users’ online behaviors, learn best practices for establishing an effective awareness program and begin securing your human attack surface here with our Top 10 Tips for Effective Security Awareness Coaching Programs.
Schedule some time to talk with one of our experts and they will show you how we can help your organization.Get a demo Today