Fear Doesn’t Train Employees to be Cybersafe, Creativity and Trust Do
 

Cybersecurity rhetoric is often riddled with a little thing called FUD — fear, uncertainty and doubt. It’s a tidy acronym that dates back to long before the advent of cybersecurity but has been closely associated with the technology industry since the 1970s.[1]

In theory, it makes sense that some cybersecurity vendors would employ fear and uncertainty in order to propel sales or train employees. To get organizations and individuals to invest in security measures, you must first convince them of a pervasive threat. And while it’s important not to euphemize cybersecurity — there are serious cyber threats out there that we should be aware of — it’s also important not to hyperbolize.  We shouldn’t let fear be the main driver behind security decision-making. Why? Because it’s simply ineffective, according to the research of Dr. Karen Renaud and Marc Dupuis, which appeared in the Wall Street Journal in December 2020.[2]

Why the Fear Factor Doesn’t Work — and Often Backfires

The year 2020 is no stranger to FUD, and we have seen that fear can indeed spur short-term action — recall the springtime grocery shelves left barren as a result of COVID-related panic buying. Though fear can ignite one-off actions such as this, it often fails to influence long-term behavioral changes, according to Renaud.

In her research, she found that demagoguery in cybersecurity can often do one of two things:

• Create a boy-who-cried-wolf effect in which employees start to shrug off legitimate security warnings
• Put employees in a constant state of anxiety that inhibits decision-making abilities

The latter can be most detrimental to an organization and the mental wellbeing of its staff. Renaud reported a UK company that fined employees significantly — up to 50% of their yearly salaries — if they clicked on attachments in simulated phishing emails conducted as a part of security training.[3] Another organization had a three-strikes-you’re-fired policy when it came to failing phishing simulations, and a third company shamed clickers by posting their photographs in communal office areas.

It’s not far off to assume that employees might be less likely to report suspicious activity on their devices out of fear of such harsh punishment. For example, if an employee suspects their device has been infected by a virus as a result of a sketchy link he clicked yesterday, he could try to remedy the situation himself instead of reporting it and risking punishment. And since he is not an IT professional, he could just end up causing further harm.

But the data dictates that you don’t want to deter your staff from reporting. A global Mimecast survey found that less than half (45%) of employees report suspicious emails to their security teams.[4] In order to raise that percentage, organizations must create a safe cybersecurity culture that encourages open communication.

Renaud’s research found, in a survey of 400 workers, that 32% believe it is not okay to exaggerate threats even if it means people will change behavior, and 31% believe it is unethical to use fear at all to move people to action. Twenty-two percent said fear doesn’t even work when it comes to cybersecurity training.[5]

Fear Not. There’s A Stronger Approach to Cybersecurity Awareness Training.

Organizations need to revamp the philosophy behind their cybersecurity awareness training programs. A Forrester research study, sponsored by Mimecast, found that when it comes to security training programs, 55% of organizations do not base their programs off of data and behavioral science, 45% do not capture feedback from employees and 33% do not utilize metrics to monitor success.[6] This demonstrates wasted opportunities to get the absolute most out of cybersecurity awareness training and create an effective security-first culture in the workplace. 

Based on her research with various professors, leadership experts and authors, Renaud recommends the following three-pronged approach to cybersecurity awareness training:[7]

1. Create a buddy system. The goal here is so democratize security support by designating at least one person in each department as a ‘cybersecurity expert’ there to provide day-to-day support for colleagues. This makes guidance more accessible for employees and reminds them that cybersecurity is not a solo performance, but a team sport.
2. Provide adequate resources. When possible, give employees tools that make following protocol easier. For example, if you want employees to use strong passwords, not write them down anywhere and not reuse them, provide password managers. Or if you want your organization to be able to spot phishes, employ a messaging system (outside of email) that warns employees when the company is being targeted.
3. Remove obstacles. Ban as few tools as possible, and instead find secure and effective ways to use them. USB memory sticks, for example. Rather than banning them altogether, issue encrypted memory sticks that authenticate using fingerprints. That way, employees can still transfer large files without having to improvise.

Additionally, the Forrester study offers the following suggestions:[8]

1. Leverage humor and regular bite-sized content
2. Utilize metrics to track progress and behavior change
3. Facilitate security discussion in the wider communities

Forrester found that over two-thirds (67%) of surveyed leaders said they planned to upgrade their organizations’ security awareness training program in the next 12 months.[9] This represents an opportunity for these organizations, and any organizations looking to upgrade their cybersecurity culture, to do it right this time around.

The Bottom Line

Although it can be tempting to use FUD to influence employee behavior, it is often ineffective in achieving an organizations’ long-term cybersecurity awareness goals. It’s better to use creativity and trust to empower employees to view themselves not as the problem, but as an integral part of the solution. Train employees to prote

[1] “Cut the FUD: Why Fear, Uncertainty and Doubt is Harming the Security Industry,” Help Net Security

[2] “Why Companies Should Stop Scaring Employees About Cybersecurity,” Wall Street Journal

[3] Ibid.

[4] “Company-issued Computers: What are Employees Really Doing with Them?” Mimecast

[5] “Why Companies Should Stop Scaring Employees About Cybersecurity,” Wall Street Journal

[6] “Designing Effective Security Awareness & Training Programs in the APAC,” Forrester

[7] “Why Companies Should Stop Scaring Employees About Cybersecurity,” Wall Street Journal

[8] Designing Effective Security Awareness & Training Programs in the APAC,” Forrester

[9] Ibid.