blog post
Security Behavior and Culture Programs (SBCP)
By the year 2030, a significant shift in how enterprises manage cybersecurity risks is expected. Gartner projects that 80% of enterprises will have formally established and staffed human risk management programs, a substantial increase from just 20% in 2022.
Moreover, by 2030, widely accepted cybersecurity control frameworks will focus more on measurable behavior change than on compliance-based training as a key metric for the efficacy of human risk management.
The current market for Security Awareness Computer-Based Training (SACBT) services is centered on basic training, testing, and reporting capabilities. However, these services primarily target compliance and show limited impact on changing employee behaviors in a substantial and sustained manner. This has resulted in a disconnect between the aspirations of cybersecurity leaders for their awareness programs and the investment in this area.
In fact, less than half of cybersecurity functions consistently measure employee behavior, and almost 80% allocate less than one full-time employee to security awareness.
The lack of confidence in the existing SACBT services is further evident in the fact that although over 90% of cybersecurity functions have an awareness program, 69% of employees admit to intentionally bypassing enterprise cybersecurity guidelines in the past year. This underlines the limited impact of current awareness tactics on employee behavior and the need for more effective solutions.
Emerging Security Behavior and Culture Programs (SBCP) are designed to address these shortcomings. These programs focus on risk reduction through tangible employee behavior management, integrating behavioral science principles, data analytics, and automation to achieve measurable culture change. The SBCP solutions encompass both technical and non-technical capabilities, aiming to foster a digitally secure culture within organizations.
Traditional SACBT offerings, including training content, mock phishing simulations, and metrics reporting, have been the mainstay of most security awareness programs.
However, Gartner research indicates that these activities fall short in delivering and sustaining the behavior and culture change required to reduce cybersecurity risk. This is particularly concerning given that social engineering remains a top attack vector, and the majority of breaches involve human error.
To effectively manage human risk, enterprises need to go beyond traditional approaches. New SBCP capabilities focus on risk reduction through behavior management, employing strategies rooted in behavioral science, such as nudge theory and behavioral economics. These capabilities also leverage technology for continuous and targeted employee engagement, integrating data across multiple platforms to gain better insights into human behavior and risk.
In 2022, adoption of these emerging SBCP capabilities is still low, under 5%, due to the nascent state of the market and a failure to communicate how these programs actually work.
Gartner recommends that enterprises rescope their security awareness programs to focus on human risk management outcomes, not just compliance. They should also present a business case to senior leadership for investment in human risk management, and evaluate vendors for SBCP capabilities.
Failure to do any of this will bring us all back to the future again when after spending $60 Billion on Security Awareness Training, we are still stuck at 95% of breaches being traceable back to some human error, mistake, misconfiguration or credential compromise of some type, just as it was in 2012, thirteen years ago.
Author
Steve King
Managing Director, CyberEd
King, an experienced cybersecurity professional, has served in senior leadership roles in technology development for the past 20 years. He has founded nine startups, including Endymion Systems and seeCommerce. He has held leadership roles in marketing and product development, operating as CEO, CTO and CISO for several startups, including Netswitch Technology Management. He also served as CIO for Memorex and was the co-founder of the Cambridge Systems Group.