As the workforce becomes increasingly diverse — factoring in age, educational background, and industry experience — the need to modify employee training around privacy and security practices becomes increasingly important.
I may be the only person (or one of the few) who looks forward to completing an annual security awareness training curriculum, or reviewing updated security guidance from industry leaders. However, for the majority of employees out there who wait until the last day to complete a training session, there are critical repercussions to not adapting internal training to today’s workforce. Threat actors of all kinds use digital methods to carry out their attacks, whether they be social engineering attacks or otherwise. It is every security leader’s responsibility to protect against this by creating a security conscious workforce.
Research Framework: Privacy and Security
I recently worked with a fellow University of Southern California Applied Psychology graduate student to conduct research focused on understanding how people approach privacy and security in their own lives. We surveyed 165 respondents and conducted in-depth interviews with 19 of them. The core questions in our research centered around the following:
(1) What privacy and security behaviors do they engage in?
(2) How do they feel about salient topics relating to privacy and security?
(3) How are their behaviors and attitudes different based on the work they do? (e.g. security professionals versus others)
Although there were many eye opening findings from this research, I’ve focused this article on takeaways that have implications for security leaders like you. If you’re interested in hearing about the rest of our findings, please reach out to our team at email@example.com.
#1 – The older the participant, the stricter their practices and the higher their level of skepticism.
It was discovered that if we create a chart going from youngest (Gen Z) to oldest (Baby Boomers), there was a consistent increase in skepticism and stricter security practices as the age of the group increases (e.g. Baby Boomers scored higher than Gen X, and Gen X scored higher than Millennials).
So what? What are the implications for a security leader if they know that their youngest team members are likely to approach technology with less skepticism and less secure practices? And conversely, what are the implications for their oldest team members who are on the other end of the spectrum?
This dichotomy must be considered when conducting internal security awareness and privacy training for employees. If your Gen Z team members have lower security IQs, then they present a greater vulnerability to information assets than their older counterparts. This should be a consideration in their training, onboarding, and continual testing.
This informs us how the younger group and the older group can be more susceptible to certain social engineering attacks. For example, the younger group is more inclined to be susceptible to attacks that use the Internet as the medium, while the older group is more susceptible to attacks that use phones as the medium. In fact, Ted Harrington of Independent Security Evaluators gave an interesting interview in 2016 on this topic, and our findings reinforce the themes from his research.
#2 – Respondents outside of security / risk management professionals tended to be unaware of the fact that software updates help protect them from software vulnerabilities.
After conducting nearly 20 interviews with respondents outside of the security industry, I discovered that many of these people were completely unaware that software updates are critical for patching known software vulnerabilities, and thus keeping their devices safe. Rather, respondents viewed software updates as an annoyance. They saw them as a pure inconvenience that makes their computer useless for a period or interferes with their use of outdated apps after the update is installed. For these reasons, they either procrastinated or tried to avoid updating their software altogether.
So what? What are the implications of the people we work with being averse to updating the software on their laptops and smart devices?
Again, it comes back to education and training. Within our own internal privacy and security training programs, we need to be mindful that what we (experts in the field) know to be true, may not be known by our peers. Therefore, I recommend looking at your internal training programs with a beginner’s mind. For example, a simple solution is to create open dialogues with your peers outside of the security team to learn about their approach to privacy and security. Then use your learnings to modify training programs to specifically address the challenges you’ve identified.
#3 – Respondents outside of security / risk management professionals tended to think of Google as a brand that is transparent when it comes to privacy and security.
The security minded respondents felt drastically different about Google, from their non-security counterparts. Out of 56 security respondents, only 1 selected Google as being transparent. In contrast, more than 13 of the 100+ non-security respondents selected Google as being transparent.
So what? Why are perceptions of Google important?
Google is not necessarily relevant in this case. What is relevant is that the security group has a drastically different view than the rest of the population, demonstrating that security leaders have their work cut out for them when it comes to aligning non-security employees’ knowledge with their own expert knowledge. This suggests that the inclusion of broader topics such as what brands / devices the security team recommends could be useful within broader internal security training programs.
Training every member of your organization to be as security conscious as you are is wishful thinking, even with the greatest resources at your disposal. However, we can still make dramatic improvements in reducing our vulnerabilities if we help our teams across the organization execute on the basics. The foundation of this effort is talking to teams and learning about their own behaviors and attitudes.
I encourage all readers to consider what steps they can take to conduct informal interviews with their non-security team members so that they can be attune to what the people on the ground are doing day-to-day. I’m confident that these conversations will reveal important insights for improving internal security training, resulting in a safer, less vulnerable workforce.
Visit Ontic’s Center for Protective Intelligence for strategies and best practices, insights on current and historical trends and lessons learned from physical security peers and industry experts.