One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8573960 |
| Date de publication | 2024-09-10 10:40:42 (vue: 2024-09-10 15:17:20) |
| Titre | Au-delà de la sensibilisation à la sécurité: évoluer vers un changement de comportement soutenu Beyond Security Awareness: Moving Toward Sustained Behavior Change |
| Texte | In recent years, there has been a lot of discussion among practitioners, analysts and vendors about the security awareness industry-and what constitutes a good program, how it is measured and why. Based on hundreds of conversations with customers of various sizes and complexity, it is clear that traditional compliance-based security awareness training methods are falling short. So, too, are our methods for measuring their effectiveness. If the goal is to reduce the cybersecurity risk that\'s related to employee actions and behaviors, then we need to move beyond raising awareness to driving sustained behavior change and fostering a security-minded culture. Challenges with traditional security awareness programs Traditional programs to increase security awareness have long been a staple of companies\' cybersecurity efforts. Why have they not been effective? One-size-fits-all approach Many traditional programs use the same generic, compliance-driven training content year after year. This approach fails to address the unique, real-world situations that employees in different roles within a business are likely to encounter. A one-size-fits-all methodology can lead to disengagement and a lack of relevance for employees. However, offering a tailored approach can be daunting for security teams, especially if they are under-resourced. Lack of connection to the real world Traditional programs may impart knowledge, but they often struggle to translate that knowledge into sustained behavioral change. Research for the 2024 State of the Phish report from Proofpoint found that more than two-thirds of employees (68%) knowingly engage in risky behavior despite 99% of companies having a security awareness program. Most awareness programs are like teaching someone how to skydive by asking them to watch a few videos and read a policy. But when that person jumps out of the plane, they become disoriented. They are not accustomed to the wind and the thin air, and they feel unsure about when to activate the parachute. Similarly, employees who only receive passive training about security struggle to apply their knowledge when faced with real-world threats. Employees may understand security concepts, but they struggle to apply them consistently in their daily work. Why changing the terminology won\'t work A new term is coming up in our discussions with customers-human risk management. Many customers tell us that they want to move to this approach. They say that they want to measure risk, but they are unsure of what to measure and how to go about doing it. The complexity of pulling in data from across different vendors and sources and having it all make sense and be actionable is a challenge. They also mention they want to use automation, gamification and other elements to help them get better employee engagement. These are great tools. And, without question, we should understand risk and find ways to engage with employees more effectively. But they are just tools, and they fall short of understanding how to change behavior. That requires diving into behavioral science principles and techniques, which most cybersecurity teams are typically not trained to do. Some customers, analysts, and vendors call the practice of security awareness “human risk management” without understanding what that term means. It is a confusing term, and a negative one. It suggests that humans are “risky” and need to be “managed.” It perpetuates the idea that the employee is the problem, and it fosters an “us vs. them” mentality instead of an inclusive one. At Proofpoint, we believe in a human-centric approach to cybersecurity. This involves understanding how technology, social factors and organizations themselves impact people\'s understanding and interactions with cybersecurity. NIST refers to this as human-centered cybersecurity or “usable” security. To build a |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | to 2024 ability about accountability accustomed achieve achievement achieving across actionable actions activate activity additionally address adopt advance after air aligned all also also: among analysts apply approach approach are asking assets austin automation awareness awareness: away based become becoming bedrock been behavior behavioral behaviors believe best better beyond bites breakfast” bring broadly build built business but campaigns can centered centric challenge challenges change changing chicago choices choose ciso clear combat coming companies company complementing complexity compliance concept concepts conclusion conference confusing connection consistently constitutes content continually continue conversations correlate cost creates creativity critical cross culture current customers cybersecurity daily data daunting deeply delivered design designed despite determines developed different directly discussion discussions disengagement disoriented diving does doing don driven driving eats education effective effectively effectiveness efforts elements embrace emphasizes employee employees encounter encourage engage engagement especially essential even evolve executive existing experiences expert extends face faced factor factors fails fall falling falter fear feedback feel find fits forecasts formats forms forward fostering fosters found foundation foundational framework from fully functional fundamentals future gamification gamified gartner generic get gives goal goals goals good great group guidance has have having help helps highly how however human humans hundreds idea impact impacts impart implemented importance improves incidents including inclusive income incorporating increase increased increases indicators individuals industry initiatives instead interactions interactive involvement involves itself join jumps just keep keeping key know knowingly knowledge lack lead learn like like: likely london long look lot make management management” many matter may means measure measured measuring meet mentality mention method methodology methods metrics mind minded more most move moving must need needs negative new nist not now offering often one ongoing only operational opportunity organizations other out outlines overall overarching parachute part participation participation passive people perform performance perpetuates person phish pipe plan plane plays pleasantly policy positions positive posture potential practice practices practitioners principles prioritizes privilege problem problem productivity program programs programs progress promote promotes proofpoint protect protecting provide provides pulling quantify question raising rather read real receive recent recognizes recommend reduce refers reigns reinforcement relate related relevance relevant report required requires research resourced responsibilities right risk risky role roles safer same say science security see seem sense serves short shortcuts should sign similarly simulations situations size sizes skydive skydiver slim smaller social solution solutions some someone sources specific staple started starts state strategic strategies strategy strong struggle success suggests support supported supreme surprised sustained tailored talk teaching team teams techniques technology tell term terminology than that them themselves them” then these thin thirds those threat threats throw tied time too tools top toward traditional trained training translate two typically under understand understanding unique unsure upcoming use values various vendor vendors vendors call videos voluntary want watch way ways wealth welcome well what when which who why will wind within without won work workforce work world world would year years your employees “culture “human “managed “risky” “us “usable” it they |
| Tags | Tool Threat Conference |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.