Light Dark
November 24, 2014 By Brian Honan 3 min read
CISO
Data Protection

Lately, the media has been full of major news stories relating to security breaches at well-known companies. Breaches such as those at Target, Staples and Home Depot have moved security stories from the domain of the information security press into mainstream media stories. The news stories talk of sophisticated attackers using advanced techniques to breach the security of these organizations.

However, are these attacks due to the technical prowess of the attackers or ineffective security awareness programs in those companies? If we look at these breaches more closely, we can identify one common element. That is the human factor. In nearly every security breach actions, either intentional or accidental, by someone in the victim companies led to the security breach.

Study after study also highlights how the human element is a key factor in successful security breaches. The IBM Security Services 2014 Cyber Security Intelligence Index highlights that “95% of all incidents involved some form of “human error”. These errors ranged from clicking on links and attachments in emails, using weak passwords, or using default system settings. Given that many of the breached organizations spent lots of money on security awareness programs, why are we still seeing the human element being such a major contributing factor?

While IT security staff may find information about computer viruses, the latest exploits, and current hacking technique, in reality most people would rather be thinking about something else. They have their own busy work days, deadlines to meet, and a myriad of other demands on their time. In many other cases, the security awareness program has been developed to meet a compliance requirement resulting in the focus being on number of staff attending the awareness session rather than on ensuring the content is relevant to the business and the job roles of the attendees. Finally, most security awareness programs fail because no deliverable s and metrics on their effectiveness have been identified. Simply put, in many cases security awareness programs do not engage staff.

If we look at how road safety campaigns have developed over the years we can see how they’ve progressed from simply making people aware of the rules of the road to modern adverts providing impactful content on why it is important to drive safely. Similar to the old road safety campaigns, simply making staff aware of security issues is not enough to ensure they behave in a secure manner. People have busy work and personal lives and many will look to complete their tasks quickly without thinking about the security implications. As such, we need to move away from a security awareness approach to enabling staff to be more secure, by developing a security engagement program whereby people will become equipped to deal with the security threats they face.

An effective security engagement program should be aligned with the overall business needs and the goals of the organization. The security engagement program should be different for a computer company than it would be for a financial institution or an organization in healthcare. The program should also take into account the cultural aspects of staff located in different offices with a particular focus on localizing the content for staff located in regional offices. A U.S. centric security awareness program will not engage an Asian or European audience. Similarly, the content of the program needs to be targeted at the intended audience. Content and key messages delivered to the sales team should be relevant to their role, as should content for the senior management team, and all other areas in the business. Another way to engage the audience is to use psychological hooks to get the attendees attention, such as highlighting safe online computing use for their own personal use. Good habits developed for personal use will equally apply in the corporate environment.

While criminals will look to exploit security vulnerabilities in applications and systems, they will also look to target weaknesses in the people that use those systems and applications. Aligning security education with the needs of the individual will provide a dynamic security engagement program that will be a key element in ensuring a robust security infrastructure.

 |  |  | 
Brian Honan
CEO, BH Consulting

More from CISO
December 30, 2024

CISO vs. CEO: Making a case for cybersecurity investments

4 min read - Ask CISOs why they think there is a cyber skills shortage in their organization, what keeps them up at night or what the most important issue facing the industry is — at some point, even if not the first response, they will bring up budgets.For example, at RSA Conference 2024, a roundtable discussion about issues facing the cybersecurity industry, one CISO stated bluntly that budgets — or lack thereof — are the biggest problem. At a time when everything is…

December 13, 2024

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

December 11, 2024

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature