By reducing friction and protecting users, security-conscious culture can be created.

Speaking at Infosecurity Europe in London, Javvad Malik, lead security awareness advocate at KnowBe4, said that employees face both external threats and internal pressures, and this “results in humans making some form of error.”

“They don’t know what is right or wrong, but they are under pressure” Malik said, and this causes the creation of a strong security culture. However these can not always be perfect, with Malik likening it to building a house from asbestos - it may be a house but not completely safe.

“It’s a cop out when organisations say let’s put in place policies and procedures without alleviating internal or external pressures,” he said when trying to build a culture.

DEEP Down

Malik demonstrated the DEEP framework, which includes the following steps:

• Defend users against attacks, and block them before they get to users and reduce the number of attacks that get through.
• Educate on which risks are out there and problems and red flags, and consider if your actions translate into behavior change?
• Empower by providing tools to do the job and make a change, and enable them to report issues such as spotting a stranger in the office.
• Protect as mistakes will happen, so reduce the blast radius and if someone clicks on a link, the whole organisation doesn't get infected. 

“How we protect colleagues, and where a positive security culture fits in,” Malik said, as there can be culture change for good and bad and it can strengthen or weaken a business. He also recommended making something that emotionally sticks with people, as “simply putting in controls is not enough, you need to emotionally resonate with them.”

This includes offering cash incentives for reporting phishing emails, as “what people intend to do and actually do are different; bridge the gap between action and intention.

He also praised the use of ‘nudges’ for example with password strength meters, and said that the typical user “can only remember 12 character passwords ands we make them feel stupid and unheard, and we wonder why they don’t change behaviours.”

Malik said that if people are involved in the story, they are more likely to be engaged as if you don’t enable staff, you may enable cyber-criminals.

Concluding he said the pillars of building a culture that supports people involves: creating security champions, sharing stories, intensity vs consistency, choice architecture, and user centric security. “ Put people at the centre and protect every angle,” he said. “The more we reduce friction and protect them and better we will be together.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.