How Yahoo Built a Culture of Cyber Security?
Many big companies store their confidential data in their database and other systems as the world grows digitally. But this has also arisen the Furthermore This is a subjective and flawed approach to cybersecurity attacks. Hence, cybersecurity was introduced to fight against the dangers of cyberattacks.
Cybersecurity is a system developed to keep the software and hardware containing confidential and sensitive information safe and secure.
We have entered a new era of the digital world; with digitalization, there comes a higher threat to confidential information secured in digital mode. Cybersecurity is necessary for every organization, whether it is big or small.
Cybersecurity is concerned with protecting the data and sensitive information available in cyberspace against different cyber threats. It is the responsibility of cybersecurity engineer to keep the data of the organization and its employees safe.
Yahoo tried to study the responses of its employees to take cybersecurity seriously. In return, it was observed that telling the value of something doesn’t create a remarkable change. Change occurs when people see and watch the value of something.
The same is the case with cybersecurity; telling the employees about the importance of cybersecurity doesn’t add much value towards taking proper actions against cyber attacks. To inspire your employees towards the cybersecurity culture, it is essential to measure what people do when no one is watching them.
The Cybersecurity at MIT Sloan research group (CAMS) collaborated with Yahoo’s security organization, and this collaboration was named the Paranoids to understand their mechanism of improving the company’s cybersecurity culture. The Paranoids’ team successfully employed several efficient and innovative means towards the betterment of the cybersecurity culture.
Understanding the Employee Behavior
The Paranoid team asked Yahoo employees to undergo an annual cybersecurity training online to understand employee behavior and distinguish between actions, habits, and behavior. While training, they realized that an individual’s behavior could be defined as the combination of activities and patterns.
Steps Towards Changing the Employee Behaviors
After understanding the employee behavior, the Paranoid Proactive team made its way forward. They concluded the three basic steps to be followed for changing the employee behavior:
Step-1
Identify the desired behavioral goal. A clear purpose for a specific behavioral outcome is a prerequisite for any measurable change to occur. The plan avoids what the team called “impossible advice.” This is similar to any security guidance that requires the end-user to make a qualitative judgment about security.
Step-2
Find an appropriate measure and create a baseline. To improve a company’s cybersecurity culture and enrich a businesses’ resistance to attack. So, one must measure what people do when no one is looking.
Step-3
Take actions to affect the measured behavior, adjust those actions over time, and repeat the process. They design activities to impact the baselines. But equally important to driving appropriate behaviors was learning from the results of these activities. Then adjusting and creating new activities for continual improvement.
Measuring the Employee Behavioral Goals
Then, the Paranoid Proactive team moved forward to find ways to measure the employee behavioral goals. For this, rather than instructing the employees to determine if a link was suspicious, which is a subjective and flawed approach to cybersecurity. Furthermore, the Proactive Engagement team defined a new behavioral goal for employees; ‘When your corporate account receives an email sending you to a website asking you to enter credentials, report the email to our defense team.’
After studying the actions of employees intensely, the team highlighted the three key measures:
Susceptibility Rate:
The formula defines this as the number of employees who entered the credentials and didn’t report the phishing emails divided by the total number of phishing emails sent.
Credential Capture Rate:
The formula defines this as the number of employees who entered the credentials divided by the number of employees who opened the phishing simulation and landed on the fake login page.
Reporting Rate:
Its definition is- the number of reporting employees who reported the phishing simulation divided by the total number of phishing simulation emails sent.
After understanding the actions, habits, and behaviors, the team then asked the employees to use the password manager. Furthermore, the use of password managers reduced the guesswork of the employees. This password manager filled the credentials only on the recognized sites, not on the fake ones meant to steal the credentials.
Furthermore, the Paranoid Proactive Engagement team measured progress by creating dashboards where managers could benchmark their corporate pillar’s performance against their peers. The dashboards were an essential tool for managers because they started an environment of active and passive competition. The competition provided an incentive for employees to do better, and the dashboard allowed managers to see how their reports were doing. They also served as a bridge between the Proactive Engagement team and senior Yahoo leadership.
Employees who actively used the password manager received merchandise such as Paranoid-branded t-shirts, hoodies, and hats.
Summary:
After this study, the Paranoid Proactive team, in their summary, say to make meaningful changes in employee behavior. They recommend taking the following vital steps to the managers:
- Identify the critical employee behavior.
- Measure the behaviors of the employees transparently.
- Managers must use awareness measures to explain why something is important.
Many Cybersecurity professional must first identify the root cause of the problem, and after that, they should develop and implement their strategy to rectify the situation.
