Why Do Cybersecurity Awareness Programs Often Fail?Security Awareness Expert John Scott on Adapting Tech and Process
Many security awareness training programs fail because organizations don't understand the risks they face, said John Scott, lead cybersecurity researcher at Culture AI. He said a successful training program "will help people by making sure that it's targeting the behaviors that address the key risks for the organization."
Scott runs Culture AI's internal security awareness program, which focuses on "human risk management." That means intervening at just the right moment with a "security nudge" to help employees understand when they've done something wrong.
Scott said we should move away from "blaming" humans because error is inevitable. "If you see a pattern of spikes in a particular area, go find out why. Don't go in with your feet first - shouting and telling people off - because there may be a legitimate reason," he said.
In this video interview with Information Security Media Group, Scott discussed:
- Why traditional security awareness training programs are not working;
- Understanding human behavior and when to apply a "security nudge";
- Practical steps security leaders and teams should consider when applying the "nudge theory" to security programs.
In his role at Culture AI, Scott focuses on human behavioral data and risk management. He previously worked in a senior security transformation role at BT and was head of security education for the Bank of England for nearly seven years, running an internationally recognized culture change program for the U.K.’s central bank. He also serves as an instructor for the SANS Institute, teaching classes worldwide on managing human risk. He is a frequent international speaker on security culture, and his key passion is the need for security to be a champion of all colleagues, rather than just being the "department of no."