How to change security behaviour

2nd February 2021

Change management strategy as a success factor (Part 2)

Example of the implementation of a change management strategy for a phishing campaign

Read part 1 here - Change management strategy as a success factor - Why a change management strategy helps with security awareness campaigns and a security strategy and what needs to be considered.

Change management strategy for security awareness

Using a fictitious example, we will show you how you can implement a change management strategy for security awareness.

The fictitious company "Secure AG" wants to improve its security, supplementing its technical measures by including training for its employees for them to behave securely. The company has 500 employees and a small security team that also looks after security awareness.

Since the current situation of the information security culture within the company is not entirely clear, the management decides to conduct a survey among the employees in advance. The Security Awareness Radar®  from TreeSolution is used for this.

The survey checks the information security ABC: Awareness, Behavior, Culture. Strengths and weaknesses in the areas of awareness, behavior, and culture are measured. The measurements show in which departments the understanding of information security is greater and in which departments it needs to be improved with targeted measures.

  • The survey shows that the issue of the difficulty of finding security guidelines and procedural instructions should be addressed at company level.
  • At the department level, many superiors clearly do not set an example and support the topic of security enough.
  • The survey shows that employees should be trained primarily in the subjects of password security and phishing.
  • The survey also shows that the HR department needs additional data protection measures.

Based on this knowledge, the security team now works with the communications and HR departments to develop a security awareness strategy with suitable campaigns. The campaigns serve to promote the security awareness of the employees, to support them in behaving securely and thereby also to make the company more secure. For the implementation they proceed according to the principles of change management.

They decide to implement the following:

  • Central document storage for security guidelines and procedural instructions.
    The documents pertaining to security were previously not kept together in any central location in the document repository and were therefore difficult to find. Making the documents easier to find will help ensure that security-relevant aspects are better integrated into work processes and new projects from the start.
  • Training of management on security issues.
    An important aspect of security awareness and the associated implementation of information security is the setting of examples. Involvement of management and executives is therefore considered important. When managers practice security, they become role models and can also advise their employees correctly. In this way, they also become security ambassadors. The training will take place via e-learning and workshops.
  • Training on phishing and password security.
    E-learning courses on phishing and password security will be created for all employees. In addition, an email campaign, posters, and leaflets will draw attention to the topic of security. For password security, the company has adopted a new directive on the length and type of passwords. This will be communicated at the same time. A central contact point will also be set up where phishing mails are to be reported.
  • Data protection training for the HR department.
    E-learning and fact sheets will train the HR department specifically on data protection, so that the company does not risk being involved in a legal dispute. This training follows from the survey finding that there is a lack of knowledge in this area, especially concerning the new data protection regulation.

The campaign measures are to be applied over two years. Afterwards, a survey should again determine how sustainably the change was accepted and implemented by the employees.

Creation of the project plan using the change management process

To keep this example more readable and concise, we focus on only one measure here: we look at the change management process related to phishing training.

The TreeSolution change management model of secure behavior serves as a template.

The model shows how the measures decided should be implemented so that anchoring of knowledge among employees is most effective. Depending on the stage of implementation, the measures must therefore be prepared differently. First, attention paid to the topic should be increased through information and awareness-raising. The right type of communication improves perception and attitudes towards the topic, while enhancing knowledge and understanding. Anchoring is achieved by consolidating skills.

TreeSolution Model of Secure Behavior
Image: TreeSolution Model of Secure Behavior

Since change cannot take place overnight, the campaign will run over several months. During this time, the topics will be divided into the three steps of the model, 1) attention, 2) acceptance, and 3) anchoring with the appropriate preparation, communication, and training.

"Attention" stage

As a first step, a poster campaign will be used to draw employees' attention to the topic of phishing. There will be a brief description of what phishing is all about.

A second step involves raising awareness. An information email will be sent to all employees with additional information about phishing and how to protect oneself.

"Acceptance" stage

Understanding/knowledge: to increase acceptance of the topic, it must be understood and knowledge about it must be strengthened. This will be achieved with a mandatory phishing e-learning. This once again will give information about phishing, what it is about, how to recognize phishing, how to protect oneself and where to report suspicious emails. At the end of the course there will be a quiz to test what employees have learned.

Conviction (positive perception/attitude): A few weeks after the e-learning, an information e-mail will explain the advantages of recognizing phishing. For example, employees not only protect their employer, but also their private information. In addition, the new phishing reporting location and the ease of reporting an email will be communicated again.

"Anchoring" stage

Transfer (skills / abilities): The most important aspect is the detection of phishing messages. A phishing challenge will check how well employees can recognize such an email. For this purpose, the first step will be to send a series of phishing e-mails. Next, there will be a check on how many employees click on the link in the e-mail and enter their data compared with how many employees report the e-mail as phishing. Since this will be gamified and the emails will be tailored to the recipient's situation, the measure will have a high level of acceptance among users.

Confirmation: to encourage dialogue with employees on the topic, lunch-break webinars will also be organized, where the topic will be discussed in more depth, questions will be answered and interested parties will be able to exchange ideas.

How to manage possible resistance

In advance, the team thinks about what resistance it might face:

  1. Employees may struggle to recognize phishing emails.
  2. They may lack the time to make a more detailed examination of suspicious emails.
  3. They may not forward emails because they do not know about the location to which they should send them.
  4. “This doesn't concern me; I don't receive any emails”.

The types of resistance are recorded in a risk map according to risk and probability of occurrence.

Image: Risk map - potential resistance in the phishing campaign

To deal with such resistance in advance, proposals for solutions are developed.

  • Recognize phishing: Examples of phishing emails and how to recognize them should not only be shown in phishing e-learning, but also via the other channels. The team decides to design an additional poster showing an email and the parameters that can be used to detect phishing. The poster can be displayed in the office so that employees can find out more at any time.
  • Lack of time: So that the employees do not have to spend a lot of time examining emails, they should instead be able to be report them simply and quickly. The team therefore decides to add a report button to the e-mail tool.
  • Notification office unknown: The notification button in the e-mail interface will be shown in the information sheet, in the information e-mail and in the e-learning. In addition, supervisors will be informed in advance so that they already know.
  • “It doesn't concern me”: some employees may work less with emails or not at all. So that those who do not use e-mail at work or only infrequently understand the importance of the topic, it should be made clear that it is also good to be able to identify such e-mails in private, as well as identifying phishing text messages, phone calls, and social media posts. In addition, the damage phishing can cause not only in the company but also in private should also be made clear.
Recognize a phishing email
Image: Recognize a phishing email

Project plan and communication

All goals, milestones and sub-projects are recorded in a project plan. The project plan also contains the individual target groups of the measures, the timelines, the advantages of the changes, and details of the measures. The project plan is made available to all employees on the intranet. During the project, the status, successes, and challenges are continually communicated. The IT Service Desk is specially trained for questions and concerns.

Image: Phishing campaign schedule

Security ambassadors

To anchor the topic of phishing effectively in the teams and departments and to support the employees, security ambassadors are sought out to support the security department with communication and assistance. They can help employees in their departments with questions and set up their own information points where people can come during breaks, for example. In addition, employees can give feedback to the ambassadors and communicate their questions and uncertainties.

Successful security awareness thanks to the execution of a change management strategy

We recommend following the principles of change management listed in this blog series when planning security projects and security awareness measures. This enables you to identify many hurdles and challenges in advance and work out solutions. By working with those concerned, innovations are more readily accepted and possible fears can be addressed. A well-developed change management strategy supports all those involved in the change process until new tools, working methods or processes are properly anchored and adopted.

Please fill up the form below to receive all the information:

Thank you.
Oops! Something went wrong while submitting the form.