Traditional approaches to security awareness training are ineffective in changing human behavior because they're too often focused on negative consequences instead of positive reinforcement, according to new research by infosec startup Elevate Security.
At Black Hat USA 2020, Masha Sedova, co-founder of Elevate Security, shared insights from nearly a dozen security training research studies and analysis of several dozen security behavioral change campaigns to more than 65,000 employees across industries. Research was conducted over 18 months, with Elevate pulling in data from millions of incident reports. Sedova's conclusion was "the human risk is one of the largest unsolved problems in security."
This is because the human factor plays a role in many of the attack vectors used by threat actors. "If you opened up the Verizon Data Breach Investigations Report this year," Sedova said, "human risks associated with human action are the top reasons why breaches are successful -- phishing, credential stealing, abuse (either privilege intentional or unintentional through errors) or mishandling of sensitive information."
According to the 2020 Verizon DBIR, the number of confirmed breaches last year nearly doubled. The 2019 DBIR showed 29% of breaches involved use of stolen credentials, but this year the number rose to 37%. Hacking and breaches in general, according to Verizon's data set, are driven by credential theft. "Over 80 percent of breaches within the hacking involve brute force of the use of lost or stolen credentials," Verizon wrote in the report.
In addition, the "RSA Quarterly Fraud Report: Q1 2020," which examined a total of 50,119 incidents of fraud across the globe, attributed 54% to phishing attacks. Data from email security vendor Proofpoint's Human Factor Report 2019 found that more than 99% of threats observed required human interaction to execute.
Changing security awareness training
Despite the risks posed by the human factor, Sedova said, enterprise approaches to security awareness training aren't very effective. "If you go in almost any organization today, you will find the same approach to this problem, and that is [the] employees taking a one-size-fits-all annual security training that they mute, skip through to the end and brute-force the quiz questions and it's showing to be ineffective," Sedova said.
During the virtual panel Thursday, Sedova shared research conducted by Deanna Caputo, a behavioral scientist at Mitre, titled "Going Spear Phishing: Exploring Embedded Training and Awareness," a mock phishing experiment which surveyed a group of 1,500 employees.
"They found that employees group themselves in cohorts and many employees actually clicked all of the links or none of them at all," Sedova said. "As for the training, they found that training didn't matter. When an employee clicked and received a training and then received a future phishing email, whether or not they received training had no impact on their performance."
In Elevate's own research, the company found that on average, short-tenured contractors on large teams are most likely to fall for a phishing attack, while employees based in the U.S. who have been with the company for more than three years but less than 16 are least likely to fall for phishing attacks.
The research also includes data sets around trainings completed by employees.
"We found that it's not a question of knowledge, because both groups actually completed the training. It's a reflection on how important do I think security is? Is it worth my time? Will I bother to do it before the deadline, or will I be nagged to do it?" Sedova said.
One example of knowledge not being enough is applied to password security.
"We assume as security practitioners, if they just knew more, they would do something differently," Sedova said. "Lastpass did a study in 2017 and interviewed hundreds of users of their platform and found a huge proportion know what a secure password is (91%). Yet, when you take a look at passwords they have, they choose easy-to-remember or reuse them a huge percentage of the time (61%)."
The key ingredient missing from security training is motivation, Sedova said. "If I'm not motivated to learn the information needed and choose to apply it, I will not change my behavior." Sedova then analyzed the question of what it would look like if employees wanted to do security, instead of being forced.
There are three techniques that security teams can use to reduce human risks such as phishing, malware downloads and sensitive data handling, according to Sedova: social proof, gamification and positive reinforcement. While negative reinforcements such as shaming and punishment can change risky behaviors, she said studies indicate they have damaging side effects such as reducing employee morale.
Elevate applied social proof to phishing, reporting and password manager adoption.
"By taking data sets of what employees are doing in an organization, you can compare every employee's actions to their peer groups. When we compare actions to people we know, we are more likely to change our behaviors," Sedova said.
Examples of gamification are leaderboards or using security strength charts to compare employee behavior.
"Gamification is taking a part of the things that make gaming successful and applying it to business. Why not use those methods in security too? What if we had something in our organization, say, number of days since last malware infection?" Sedova said.
Other security vendors agree that traditional training is ineffective and have adapted their own models.
"A lot of people in security think about it like annual training you take every year," Jadee Hanson, CISO at Code42, said. "The way we approach security training is very different. Yes, we do the compliance checklist, but security awareness for me is much more of a cultural thing we're driving throughout the company. We do this in a number of different ways, and it happens every single day. I think security awareness in its most effective form is the daily corrections that happen throughout the organization."