CyberSecPsych

We sent them to security training.  Why are they still clicking?

Sole reliance on security training programs have little proven effect of long-term modification on end-user behavior.  Experian and Ponemon Institute’s 2016 “Managing Insider Risk through Training & Culture” report explains that only half of survey respondents felt like their company’s data protection and privacy training program was effective in reducing negligent or malicious behaviors.

While individual psychology characteristics around attitude and personality impact the end-user’s engagement and desire to learn, there are additional dynamic forces involved at both the individual and organization levels that impact a company’s security posture.

Teaching/learning models have long been applied to the field of education as a visual aids to highlight the main ideas and variables in a learning process or system.  As the cyber security awareness and training market sees rapid expansion, the application of these types of models can be valuable for organizations to better understand how the learning takes place and ensure they are directing their budgets to the correct resources.

This model has been developed from the perspective of systems theory, which takes in a variety of contextual factors to understand the varying degrees of influence that effect an end-user’s achievement in security hygiene.  These contextual factors include all variables outside of the enterprise that have an impact on management and end-user characteristic, company processes, and output.  The model seeks to give clarity into the dynamic forces that interact in the teaching/learning process in security training programs.  It attempts to lend support to questions such as:

1. How do end-users learn?
2. What is the best strategy/process for implementing training?
3. Why do some end-users learn more than others?

The following is a simple example of how some of these variables might interact:

• Context variables such as the region and politics of the community impact management and end-user characteristics while the context variables associated with peer groups impacts end-user characteristics.
• Additional context variables associated with company and state/national policies combine with management and end-user characteristics to impact management behavior.
• Management behavior along with end-user characteristics influence end-user behavior.
• End-user behavior then influences management behavior in an interactive pattern.
• End-user behavior is the most direct influence on end-user achievement as measured by instruments influenced by state policies.
• End-user achievement at the end of one company year then becomes the end-user characteristic at the beginning of the next.

This model provides a vision into the interdependent variable of the cyber learning/training process.  As an open system, the model is affected by a variety of environmental factors.  Adaptation of the system depend upon how well the structures can adjust to changes to the environment, which in the case of the cyber security industry, fluctuates daily.

With a visual aid to better understand the system’s dynamics, constraints, and conditions, corporations can optimize their response to these industry fluctuations, see where resources need to be directed, and ensure they are optimizing their security budgets.