How harm reduction can more effectively reduce employee risky behavior

Most cybersecurity professionals know that training employees to follow good cybersecurity practices, such as phishing simulations that find employees at fault for falling for convincing phony lures, is frequently a frustrating proposition. One recent experiment conducted at Baylor University found evidence that phishing tests can harm relationships between a company and its employees, causing feelings of betrayal and making them view cybersecurity as harmful.

Kyle Tobener, vice president, head of security and IT at Copado, thinks he has a better solution to helping organizations improve the cybersecurity posture of their employees: harm reduction. This week at Black Hat, Tobener will propose a framework for applying harm reduction to cybersecurity risks that he has been working on since 2020.

Applying a medical model to cybersecurity

The concept of harm reduction originated in the medical community, specifically in substance abuse treatment. The theory is to meet people “where they’re at” and accept that certain behaviors can’t be eliminated entirely. Instead, the goal is to minimize the harmful effects of the negative behaviors as much as possible.

The concept of harm reduction in cybersecurity is not a new one, although examples of its usage are sparse. For instance, Eva Galperin, cybersecurity director of the Electronic Frontier Foundation, published a piece in March entitled “Telegram Harm Reduction for Users in Russia and Ukraine.” In her article, Galperin guides users on how to more safely navigate the Telegram app, which is “certainly not the most secure messaging app on the market right now,” she wrote.

The Cyberbullying Research Center also promotes harm reduction regarding sexting among young people, another kind of behavior that is likely unaffected by outright admonitions. “We spend all of our time and energy demanding that youth never send intimate pictures to anyone while creating a police state of sorts to try to ensure it doesn’t happen (e.g., monitoring, spyware, etc.),” according to the Center.

Focus on reducing negative security consequences

Tobener said he learned about harm reduction when coping with a family member who struggled with addiction. “Once you learn about harm reduction and see people giving advice like ‘don’t do this,’ and start to realize how ineffective that advice is, it really changes your way of thinking,” he tells CSO. “In security, people give a lot of advice.”

For example, he points to the Coinbase commercial during the Super Bowl earlier this year that enticed viewers to use a QR code to go to a Coinbase website. “A lot of security people immediately went to Twitter, went to blogs and whatever, and said, ‘do not use random QR codes. This is so unsafe,'” Tobener says.

“That is terrible advice. QR codes and links are how the internet works. People are curious. They want to learn. So, when you give this advice, the person does it anyway. You’ve lost an opportunity to educate that person with maybe some information that could be helpful.”

“Harm reduction teaches us that if you focus on reducing the negative consequences or the risky behaviors people might be taking, rather than just trying to reduce the amount of risk-taking people do, in the aggregate, over the long run, you’re going to be giving more effective advice.”

Three-step framework to tackle harm reduction

Tobener has developed a simple framework that he has distilled from a host of harm reduction materials in the healthcare arena. The first step in the framework is “to accept that risk-taking behaviors are here to stay,” he says. “The medical research shows that despite all our best efforts to eliminate drugs and get rid of drinking, you don’t get rid of risk-taking behavior behaviors.”

The second step is to prioritize the reduction of negative consequences. “The core of harm reduction is focusing on the negative consequences and reducing those rather than trying just to reduce the behavior,” says Tobener.

Tobener believes the third and most exciting piece of his framework is something he thinks most cybersecurity people don’t focus on: embracing compassion while providing guidance. “Compassion is something you can have for someone such as a marketing person, who’s doing something you might deem risky,” he says. “There are ways to support them that don’t cast a stigma on the things they’re doing or shame them. But, unfortunately, a lot of security people think naming and shaming is actually a good idea.”

Compassion can make security professionals more effective

Research shows that compassion can make security professionals more effective practitioners and reduce burnout because it causes people to listen to them more carefully. “And eventually, if you’re compassionate with them, as has been shown in drug research, sometimes they come to the choice of stop using on their own because someone was nice to them and listened to them and helped them.”

One study that Tobener cites shows that compassionate doctors, for example, achieve greater success in getting their diabetic patients to stick to guidance. “Patients with compassionate doctors showed increased adherence to guidance,” he says. “They were 40% less likely to have complications and 80% more likely to control their blood sugar in an optimal way.”

Tobener honed his understanding of the importance of compassion in a profoundly personal way. He originally planned to present his harm reduction framework at Black Hat in 2020. But before he could perfect his talk at the event, he received a cancer diagnosis. He subsequently underwent surgery and chemotherapy and is now cancer-free.

“My experience with the medical profession and the doctors that I had helped inform my research on kind of the compassion side of things,” Tobener says, helping his framework get much better than when he first submitted it to Black Hat. “I experienced a lot of what I talk about firsthand.”

Tobener emphasizes that telling people to stop engaging in unsafe practices is still OK. His framework doesn’t eliminate telling people to stop engaging in risky behavior. “It’s that, in addition to the advice of not to do something, just accept that some percentage of the population is going to do it anyway and figure out a way to care for those people as well.”