Changing Behaviors at the Cyber Security Front Line

Friday, July 29, 2016
Those in the know predict that the cyber security landscape will likely get worse before it gets better. Symantec reported that in 2015 a record-setting nine mega-breaches occurred, with 429 million identities exposed – a 23% increase on 2014 <cited>. Many companies recognize this trend and are making proactive investments in cyber security capability, not only for their new innovations, but also working retroactively; looking to protect what is in production today.

To meet this goal, technology-based solutions alone are insufficient, as even the best technology is inadequate if human operators are unaware of their role in mitigating the threat. To engage the human factor, behavioral change management plays a critical role in the deployment of any cyber security enhancement project, particularly when seeking to get ahead of the curve or when the corporate perception of risk is lagging.
Working with an oil and gas major to implement an accelerated cybersecurity program focused on proactively delivering resilience, presented a unique set of challenges for the Pcubed team, particularly with the current economic backdrop. One key project focused on removable media (such as USBs, smart devices and portable hard drives) as a threat vector within the industrial control systems (ICS) space. While well-funded by enterprise IT, the accelerated pace to drive change across a vast array of diverse business units in a traditionally non-IT space required careful planning.

Building Awareness
When undertaking this proactive cyber security change initiative, it was essential to quickly and clearly articulate the risk. In the evolving risk landscape, many operators may not understand the mechanisms by which malicious code can be transmitted;

– like a flu virus spreads through an innocuous handshake, so can malicious code through thoughtless insertion of a USB flash drive into a corporate network.

USB has been identified as the primary method to spread STUXNET, a malicious worm notoriously used to target Programmable Lifecycle Controllers (PLC) within automation systems.2 In the ICS space, many networks are operated by facility / mechanical engineers and sometimes leverage vendor-rich resource pools; two groups that often have higher demand for file transfer flexibility, but are also outside the usual corporate IT messaging and communication channels. Engaging end-users through existing channels of communication - where they exist - and training for the specific user base significantly improves the adoption success rate. Using Business Unit Liaisons / Coordinators, to push and pull communication and training through these channels enables effective engagement. Early establishment of appropriate communications channels for casual, contract or a non-traditional workforce is vital to drive awareness and build desire to become part of the solution. Under this project, site champions were identified to perform local site visits and to post policy and process information at the worksite.
When developing a solution to resonate with end users, it was useful to demonstrate knowledge of the procedures and controls currently in use within the business. The project team used surveys to gather “current-state” data from each end user group to define maturity, then validated the findings, thus ensuring relevant recommendations were demonstrated to be fit-for-purpose. Engaging end users in the conversation from this early stage builds the omnipresent foundational layer of all change models – Awareness. Ensuring a thorough knowledge of the baseline practices also provided the opportunity to develop use cases in-house; acknowledging home-grown expertise within the company, proven to fit current operating models.

Roadmap to the Desired State

As deployments commenced, Pcubed began championing early adopters to share success stories and case history which aided the project team in demonstrating the benefits of the action.

Evidence of improved detection rates are gold for a pro-active cyber security project – driving desire for change by demonstrating that the problem exists and that you have successfully mitigated it, all-in-one. 

This project encountered end user resistance based on perception of low return on investment in the current fiscal climate. Conversely, other stakeholders suggested that the solution did not go far enough or provided only a low value-add intermediary step, which could cause a need for re-work in future. To satisfy both arguments, it was necessary to demonstrate the investment to be incremental, agile and supportive of current business practices.
Integrating cyber security is a modern cost of doing business, making many cyber security projects a matter of compliance. Proving measurable benefits (through championing of early adopters) in the short term, and providing a clear and concise road map for building out the capability over time, provided ample fodder to build up that desire and reduce adoption resistance. To help users understand the incremental approach, the project team leveraged industry best practices such as P3M3 and BISSM to design a maturity model to assess people, process and tool capability. Business units were measured against the model, and required actions and recommended practices were tailored to their current state. Business units with below average practices were instructed on how to meet minimum bench marks with a focus on how this initial investment could be built upon as the processes matured.

Helping stakeholders and end users to understand the threat and change behavior, rather than rely on technology alone to mitigate risk, is not a small undertaking. The optimistic human condition can make it challenging to build up excitement when the risk doesn’t yet seem real to users. Supplementing change tactics with proven tools and techniques from three of the four Pcubed service lines; program delivery using AGILE, change management, and enterprise project delivery helped ensure project success.  The Pcubed project team found that early and active engagement through existing channels, and leveraging an Agile, incremental approach to solution design and deployment goes a long way to breaking down resistance and enticing users from all fields into the mindset of maintaining a healthy cyber security posture.


1 Symantec 2016 Internet Security Threat Report
2 Stuxnet delivered to Iranian nuclear plant on thumb drive, CNET

Catherine Pye is a Pcubed Principal Consultant in the Energy, Oil and Gas sector, based in Houston. Qualified as both Prince2® and MSP® practitioner, she specializes in delivering high complexity change programs with national and global stakeholders.

For further information on this article and Pcubed, please email