Let’s Talk About the ‘Stupid User’ Myth

The term ‘stupid user’ has become a regular part of conversations in the cyber security world, but is it an accurate assessment? The truth behind this myth may surprise you.

Recent research conducted by Nudge Security took 900 participants through a common work scenario: accessing SaaS applications where they faced security interventions—blocking, nudging, and punitive, where they suspend a user’s access to said SaaS and require them to undergo training.

Participants were then asked questions to determine how they felt about the intervention. The results showed that 67% would look for workarounds if access to a SaaS app were blocked—no surprise there at all. 78% would comply with a security nudge, and 70% felt negatively about punitive intervention.

The results show that employees are naturally inclined to look for ways to circumvent SaaS security blockades. This fact alone debunks the ‘stupid user’ myth.

Terranova Security forms and shares its insights, combining results from said research, the 2022 Gone Phishing Tournament  results, and the Cyber Culture Report.

In this article, we’ll look at what the ‘stupid user’ concept means and what our research findings say about it. We’ll discuss how user behavior can be influenced by several factors and how organizations can create a culture of cyber security awareness.

What is the ‘Stupid User’ Myth?

It’s widely believed that humans are the weakest link in cyber security. This belief is why most organizations have cyber security awareness training in place.

However, security awareness training isn’t the end all, be all of cyber security, as evidenced by data breaches still occurring with businesses despite having a trained and educated workforce.

This myth fails to consider the highly sophisticated nature of modern cyber threats and their ability to exploit human weaknesses such as curiosity or lack of knowledge. As security measures evolve, so do the attackers.

Threat actors use social engineering tactics to exploit human emotions and manipulate victims into doing something they normally wouldn’t do.

Debunking the ‘Stupid User’ Myth: Stats and Data

Users are not entirely oblivious to cyber attacks and threats, as shown by the results of Terranova Security’s IPSOS report and 2022 Gone Phishing Tournament results:

• In 2022’s Gone Phishing Tournament, only 7% of recipients clicked on the phishing email link included in the simulation’s initial message. The click-to-form-completion ratio (CFCR) was 44% globally. Both numbers are significantly less than the results in 2020 and 2021, showing that cyber security awareness is improving across sectors.
• In Terranova Security’s IPSOS Report, we found that only 34% of respondents believe that the level of cybersecurity knowledge in their company is average to good. Only 30% believe that their personal knowledge of cyber security is good. This shows that awareness itself is there, and it’s up to security leaders to leverage this.
• Employees are aware of a lack of security awareness training in their organizations. 45% of French companies and 31% of UK companies offer no form of cybersecurity awareness training. Further, only 5% of employees in Australia, 50% of employees in Canada and the UK, and 29% of employees in France say they have completed a module on cyber security.
• Despite the lack of cyber security training, a whopping 79% of respondents say they are interested in cyber security awareness training, even if their company does not offer it. As to how they would like to receive security awareness training, 37% would like practical activities such as phishing simulations, 37% prefer online courses, 32% prefer short game-based formats, and 30% would like to have sessions with an instructor.
• In the same report, 59% of respondents say they are responsible for protecting their company in their day-to-day tasks and assignments, which points to a sense of obligation to be aware of cyber security and take measures to avoid attacks.
• Employees are aware of the basic measures they need to take to prevent cyber attacks. 50% know they need to set up unique passwords for each account, 47% know to analyze emails closely to detect signs of phishing, 59% are aware that they need to be careful when receiving emails/texts, 61% know they should never click on links or open attachments in unsolicited emails and texts, and 45% make it a point to report suspicious emails to IT teams.

CISO Recommendations

“Culture eats strategy for breakfast.” – Peter Drucker

Rather than blaming users for cyber attacks, organizations should focus on implementing effective security measures to protect against malicious activities. This means taking your users’ emotions and learning curve into account rather than just restricting access. This includes:

• Comprehensive policies in place that outline acceptable behavior, investing in employee security training and awareness programs
• Multi-factor authentication solutions to prevent unauthorized access.
• Security awareness programs tailored to the needs of your organization and employees.
• Modules that are easy to digest and cover a wide range of topics related to security and privacy.
• Just-in-time training that can provide feedback when it is most pertinent for users, helping them understand why certain actions are risky or secure.
• Lastly, providing positive reinforcement for secure behavior can go a long way in helping employees make secure decisions.

Security awareness must be a continuous process, not just a one-time event. Periodically review and refresh the memory of your employees to ensure that everyone is up to date on security best practices. Effective security awareness programs will help protect your organization from cyber threats and keep confidential data safe.

While teaching users how to recognize and avoid malicious activities can help reduce vulnerabilities, it cannot completely protect against cyber threats. Organizations must take a proactive approach to security and invest in effective measures to protect their networks, systems, and data.

With the right tools and processes, organizations can be better prepared against any potential cyber attack.