Poorly implemented security awareness trainings and seminars all have one major weakness, because they often do not lead to any changes in the behavior of your employees. This is due to the fact that vulnerabilities and security risks are communicated but not internalized. The expensive training enlightened, but basically did nothing. The Security Awareness Curve is a novel approach here.
If you don’t want to burn money in your organization and also have serious information security concerns, you should take a closer look at the Security Awareness Curve concept. We ourselves are big supporters of the Security Awareness Curve and Prof. Dr. Sasse, the author of the paper, is also working with us on the BMBF’s DigiFit project.
What are the problems with current security awareness?
The Security Awareness Curve starts where classical security awareness trainings usually fail. Because what Prof. Dr. Sasse states in her paper primarily means that a great deal of potential is being wasted. Instead of initiating meaningful measures, employees are channelled through continuing education, training, and seminars without learning any useful knowledge or even taking away any insights. The biggest criticism of the system, therefore, is that not enough is being done to permanently reinforce the security awareness that has been created. It’s a bit like we all learn a lot of theory, but don’t draw any conclusions from it for practice or develop any useful strategies.
This is where the Security Awareness Curve comes in, which tries to take a different approach. Namely, the path of understanding and action. Instead of simply calling attention to something, the Security Awareness Curve seeks to provide understanding and the ability to act, in addition to awareness. But let’s take another look at the curve together to understand the underlying concept a little better.
What is the Security Awareness Curve?
The Security Awareness Curve, or the security learning curve, consists of different levels. People must pass through these stages completely in order to acquire the desired safe behavior. However, the Security Awareness Curve is specifically about not only raising awareness, but also imparting the knowledge to be able to react in a truly secure manner.
The curve relies primarily on measures that are not covered or not fully covered by standard training. According to the paper, this is also a major problem. Measures are implemented that simply do not work holistically. The Security Awareness Curve, on the other hand, relies on the following.
- Inform: Employees need to understand that there is a risk and how they should respond to avoid direct attacks. Learning about this represents the first point in the learning curve.
- Awareness: Security awareness is always about raising said awareness of such attacks. Many employees feel safe, even though they are not. Raising awareness that it can affect anyone helps prevent security risks.
- Understanding: This is not just about information, but about helping employees understand exactly how such attacks take place. Background knowledge can also be helpful in understanding attacks.
- Consent: Now most security awareness training stops. They assume that employees, with the knowledge they have acquired, are aware of what can happen and thus automatically avoid such risks. But this is not so, because action must also take place actively.
- Implementation: Now the conscious action is integrated into the respective company and linked to the conditions there.
- Acceptance: Employees must be willing to change their behavior or accept detours because they understand that this is the only way to improve safety. They have acquired the knowledge and are aware of the consequences that their actions could entail.
- Self-control: This is where safe behavior is made routine. Learned behaviors are discarded when they threaten the safety of the company. Independently, employees understand how to behave and what is important. They possess a self-control that prevents unsafe behavior.
What is the Security Awareness Curve supposed to help with?
The Security Awareness Curve illustrates first and foremost that classic and often too brief training, courses and seminars are not much use. They do not improve information security, and they also generate only limited awareness of security within the company itself. This is simply due to the fact that employees are passed through without understanding principles or necessities. So all this brings only conditional success.
The Security Awareness Curve suggests that a simple explanation is not enough. That it takes more to ensure within organizations to increase IT security. Employees must be specifically addressed, further trained and systematically educated so that exactly this works. Security awareness cannot be a blanket measure either, because awareness only arises where it is understood what is important.
Security awareness should therefore be adapted. To the respective company, the industry, the employees, their behavior, and behavior patterns, in fact to everything that arises and is possible. The Security Awareness Curve illustrates once again that it simply takes more than a short training course or an extensive show for employees to actually change their behavior and thus actually increase security in the company.
Our opinion on the Security Awareness Curve
We support the findings and, in particular, the conclusions drawn from the Security Awareness Curve. We have long believed that standardized training is no longer sufficient to implement security awareness in companies in a targeted manner. That’s why we’ve always tried to make our trainings, live hacking shows, phishing simulations, and more a little different than what’s typical in the industry.
Because security has long since become a business and it is no longer apparent who the good guys are. The Security Awareness Curve illustrates this fact by taking various measures ad absurdum and showing why classic training courses are often wrong and do not have the desired effect in companies. The learning curve also reveals what really matters and how and where common seminars end without going further.
To fully understand the topic, we recommend that you read the corresponding paper yourself. You will find this freely accessible at this place and can also download a PDF there.
In the end, the goal is to ensure that all parties are satisfied and take meaningful action. After all, what’s the point if the information security officer introduces all kinds of measures that employees find unpleasant or even impossible? So it is better to take precautions in your company and in this way create a basis that actually makes sense and thus really increases security, instead of just propagating the same.