Cybersecurity Awareness Programs: Review of Behavioral Change Impact and Identification of Leading Practices
In industry, cybersecurity awareness programs are growing beyond traditional annual training and awareness, utilizing more informational “touches” with the workforce to discuss cybersecurity issues. Cybersecurity awareness programs often include Cybersecurity Ambassadors Programs that go beyond annual training and awareness. These programs involve additional elements that encourage attitude, intention, and behavior change, grassroots social influence, and a cultural shift toward enhanced cybersecurity in the organization and beyond. To our knowledge few, if any, Cybersecurity Ambassadors Programs exist in the federal government beyond annual training and awareness. Government agencies, industry organizations, and international Five Eyes partners are increasingly requesting a behavioral science-based approach for creating a better end-user cybersecurity culture and improving user cyber hygiene. This small-scale research study assessed the feasibility of a government application of several robust, integrated, and successful industry Cybersecurity Ambassadors Programs that have engaged up to 50% of their workforce to voluntarily participate, identify cyber risks, and engage in secure cyber behaviors both at work and at home. Based on this research, MITRE produced a report outlining leading practices and recommendations applicable to government agencies and industry organizations seeking to set up a similar program. The report outlines a proposal for a much-needed test and evaluation approach of these programs.