Telling your employees to do something isn’t enough for them to change their behaviour. Think about cybersecurity awareness videos: they rarely lead to lasting behavioural change.
To address that problem, Yahoo brought together three disparate teams: the red team (the group that pretends to be an attacker), the cybersecurity awareness team, and the behavioural engineering team (the team responsible for measuring good behaviours based on HR data and IT logs).
To understand how employees respond to cybersecurity threats, Yahoo distinguished between employee actions, habits, and behaviours:
- An action was defined as something an employee does to completion, such as completing the annual cybersecurity training course.
- A habit was defined as a set of repeatable actions.
- A behaviour was defined as a combination of actions and habits in the context of a specific situation.
Context is key: the Yahoo team looked at actions and habits in a specific context, such as the adoption of a password manager. Their formula for creating lasting behavioural change started with behavioural goals:
The first step was to identify a desired behavioural goal. The second step was to find an appropriate measure and to create a baseline. The third step was to take actions to affect the measured behaviour, adjust those actions, and repeat the process.
The case study illustrates this using the problem of phishing emails: their red team would always find employees who fall for phishing emails that presented them with fake login pages. The defined appropriate measures:
- Susceptibility rate: the number of employees who entered their credentials on the fake login page and who did not report the email, divided by the total number of phishing emails sent.
- Credential capture rate: the number of employees who entered their credentials divided by the number of employees who clicked on the link and landed on the fake login page (but did not enter their credentials).
- Reporting rate: the number of employees who reported the phishing email divided by the total number of emails sent.
The Yahoo team measured progress by creating dashboards for managers, which benchmarked their team’s performance against that of other teams. Overall, Yahoo managed to halve the number of employees who fell for a phishing scam, while the number of people who reported the emails doubled, the use of their password manager tripled.
Why does this matter for businesses?
- Cybersecurity training isn’t enough to create meaningful change in an organisation - what matters is what employees are doing when no one is looking.
- To create a strong cybersecurity culture, managers should identify where employees are failing, measure behaviours and make them transparent through the creation of dashboards, and ensure employees understand why these behaviours are important.