Forrester’s Guide To Global SA&T Regulations And Standards Reveals An Impetus For A Better Future

Twenty-five percent of security decision-makers tell us that their security awareness and training (SA&T) programs are driven by compliance. A recent NIST study on “Measuring the Effectiveness of U.S. Government Security Awareness Programs” found that, among leadership, 56% of respondents either strongly agreed or agreed that (again, among leadership) compliance is the most important indicator of success, and 47% of all the respondents also strongly agreed or agreed with this statement. This sentiment drives a program based on compliance as a strategy, instead of actually helping organizations drive real, needed behavior and culture change.

Forrester identified and examined 45 unique SA&T regulations and standards from across the globe, spanning industries, countries, and even states (Forrester clients can access here). We found that these regulations and standards are often outdated, confusing, and indeed compel companies toward compliance as a strategy. These standards and regulations:

  • Are largely outdated and rarely updated. Of the 45 unique regulations we examined, 29 were originally created five or more years ago. Seventeen were created 10 or more years ago, and eight were created 20-plus years ago. Six were even created before the turn of the 21st century. Only 21 of the 45 standards and regulations examined have been updated since they were originally created, and four of those were updates of regulations that were created within the last five years.
  • Completely miss the purpose, with behavior and culture change rarely mentioned. SA&T is a method, not an outcome, yet even the word “behavior” is only mentioned in three of the regulations and the word “culture” is only mentioned twice as to why the training is performed.
  • Vary in terminology, strictness, and specificity. An evaluation of just the top 13 most significant standards showed the stark differences between the who, when, level of mandate, why, how, and what of each one and the challenge that security leaders face when they need to comply with these requirements.

An Inconvenient Truth: Security Awareness And Training Is A Method, Not An Outcome

To move away from compliance as a strategy, set a goal for your program that extends well beyond meeting compliance requirements. The goal of SA&T programs is actually to positively influence employee security behavior, instill a security culture, and manage the human risk. You can do the following to focus on the outcome instead of the method:

  • Understand the limitations of compliance, completion, and engagement metrics. Eighty-four percent of the participants in the NIST study measure the effectiveness of their security awareness program with completion rates, 72% via demonstrating phishing click rates, and 67% with audit reports and evaluations. The problem with those metrics is that they will provide you with no indication of whether a particular digital behavior ultimately changes as a result of completing training. This in turn begs the question: Why do we train people if not to change behavior? And how are we measuring behavior change?
  • Focus on measuring security behaviors instead of compliance metrics. SebDB, a crowdsourced database by CybSafe, for example, contains a comprehensive list of over 70 digital behaviors to pay attention to; it goes a step further and also ties them to the risk that they pose. Digital behaviors include using a VPN, tethering a laptop, locking devices, changing passwords, and using password managers. While many training programs try to train people on these behaviors, hardly any of them measure whether these behaviors pose a risk to organizations, or, if they do, whether the training actually changes these behaviors. The NIST study supports this, with 44% of survey participants rating determining what to measure and how to measure program effectiveness as very or moderately challenging.
  • Extend your definition of security behaviors beyond phishing and incident reporting. Some organizations that move beyond measuring completion rates actually do measure behavior metrics, but those are still limited to reporting of actual phishing (53%) and security incident reporting (54%), both of which are important but are only two of 70 or more possible digital behaviors that SA&T should correct.

In The Medium Term, Human Risk Management Will Overcome SA&T’s Shortcomings

Two decades of increasing the focus on the human side of security has inadvertently, and well meaningly, created a status quo that’s difficult to break. Security and risk leaders must reject the status quo of their well-intentioned, commonly accepted awareness program and focus on managing the human risk. This involves defining your behavioral baseline and target state, quantifying the human risk based on behavior, initiating risk-based interventions, and codifying security culture.

Now Start Imagining The Future: Adaptive Human Protection

A widely accepted adage in cybersecurity is the mantra that “Security is everyone’s responsibility,” but should it be? When cybersecurity is not everyone’s responsibility, it allows employees to get on with their day-to-day, meeting their digital aspirations while at the same time being protected from cyberthreats, even if they make a mistake. Getting to that future will likely take 7–10 years, as currently the pull to stay the same is stronger than the friction required for change. It’s time to move against that friction — and for the industry to reimagine a future when superfluous SA&T that we’ve adopted because it was required at the time can be safely put to bed.

Look out for our future of security awareness and training research coming up in Q4 2022. I will be doing a big reveal of both the medium- and long-term future at both our flagship Technology & Innovation APAC and Security & Risk Forums in Sydney and Washington, D.C., respectively!