The last time you were on a plane, did you read the safety card?
Maybe you flipped through it while waiting to take off, or maybe you glanced at it while the flight attendants gestured towards your nearest exit. But when you were done reading it (if you read it at all) you probably tucked it back in the pocket and went back to playing games on your phone, drinking ginger ale, or silently negotiating for the use of the armrest with your already-sleeping neighbor’s elbow.
What is the point of those cards, anyway? And who really pays attention to the “white lights lead to red lights, red lights lead to exits” routine? Do you?
Like most of us, even knowing how important it would be to know these things if a rare emergency did happen, do we pay attention? And do we learn from them—and does it really help us change our behavior?
Cybersecurity incidents are a lot more common than airplane emergencies, but it’s surprising to find out that the overwhelming attitude towards security awareness and training (SA&T) is a lot like how we read an airline safety card. We read the card or take the yearly training just to say we’ve done it, just to check a box, but we don’t really expect to learn anything, much less change what we do.
(Some of this, let’s be honest here, is because a lot of cybersecurity training is about as interesting as watching paint dry. Another powerpoint presentation from 1998? I’m vibrating with delight and anticipation!)
We know that it’s the human element that makes the difference when it comes to a sizable percentage of security incidents. The data couldn’t be clearer. We know that Human Risk Management is the future of cybersecurity training. We know all of this, but the current frameworks barely account for it.
Instead, most cybersecurity frameworks and guidelines care more that you read the safety card, or took the training, than whether you actually changed your behavior.
Recently, in her article "A Sneak Peek Into The Future Of Security Awareness And Training ," Forrester VP and Senior Analyst Jinan Budge says, “Two decades of increasing the focus on the human side of security has inadvertently, and well meaningly, created a status quo that’s difficult to break. Security and risk leaders must reject the status quo of their well-intentioned, commonly accepted awareness program and focus on managing the human risk.”
To learn more about what Living Security is doing in order to break this status quo and offer a solution that gets to the heart of Human Risk Management, let’s first explore what one of the top recommended cybersecurity frameworks does — and what it might be missing.