Gartner PIPE Framework: Evolution of Security Awareness

At a time when digital threats are evolving as quickly as the technology itself, the concept of traditional security perception is being challenged. Recent research by Gartner titled "Security Awareness Is Dead! Now What?" boldly highlights the limitations of conventional approaches and offers a glimpse into the future of cybersecurity awareness. This article dives into the key takeaways from this research and explores how organizations can adapt to this changing landscape.

What is Gartner's PIPE Framework?

Gartner's PIPE Framework is designed to enhance security behavior and culture programs (SBCPs) by focusing on four key components:

• Practices: Implementing specific actions and routines that promote secure behaviors among employees.
• Influences: Identifying and leveraging factors that affect employee behavior, such as organizational culture and peer dynamics.
• Platforms: Utilizing tools and technologies that support and reinforce secure practices, like security awareness training modules and monitoring systems.
• Enablers: Providing resources and support mechanisms, including leadership commitment and policy frameworks, to facilitate and sustain security initiatives.

By integrating these elements, organizations can move beyond traditional awareness campaigns to foster a culture where secure behaviors are ingrained and consistently practiced.

The Fallacy of Security Perception

Over the years, security awareness programs have become fundamental in the fight against cyber threats. However, the presentation highlighted a disturbing fact: despite significant investment in security awareness training, breaches by human error remain a leading problem. Surprisingly, 82% of breaches are due to human error, proving that current methods are not as effective as expected

Several important issues contribute to the mismatch of traditional security perceptions:

• Wrong Metrics: Companies often measure the success of their awareness programs using metrics that don't actually measure changes in employee behavior, such as completion or bounce rates.
• Lack of Formalization: Some programs lack formalization, leading to inconsistent implementation and reduced efficiency.
• Lack of Resources: The limited number of dedicated security awareness staff leads to insufficient resources and staff training efforts.

Future of Cybersecurity Awareness

To deal with the shortcomings of traditional security perception, a shift to innovative strategies is imperative. The Gartner research suggested three strategic approaches to prepare for the future:

1. Security Behavior and Culture Program (SBCP): Besides traditional security awareness training, organizations should consider implementing SBCP. This program targets tangible changes in employee behavior through a multi-dimensional approach.
2. New Capabilities: Implementing SBCP requires new capabilities, including behavioral science, automation, data integration, multichannel interactions, personalized interactions, and management change.
3. Metrics Reinvention: Developing new metrics to measure authentic behavioral outcomes is essential. This involves assessing the risk associated with different employee segments and accurately assessing the results of the fraud simulation.

Cultivate Positive Cybersecurity Habits

Traditionally, negative reinforcement has been at the heart of safety awareness initiatives. The Gartner report emphasized the importance of moving to positive incentives such as recognition, gamification, and participation. In addition, the correlation between secure behavior and positive business outcomes demonstrates the tangible value of cybersecurity efforts.

Navigate the Unknown With Innovation

As one can see from the graphics above, despite 95 of organizations conduct a sort of awareness program but still 70% of employees demonstated insecure behaviour. Hence, the Gartner reseach emphasized the need to go beyond traditional methods and adopt innovative approaches rooted in behavioral science and with quantifiable results. That way, organizations can arm themselves to reduce the risk of human error and establish a more secure digital environment.

Gartner's Proposal For a Secure Future

The presentation concluded with a series of recommendations drawn from Gartner's extensive research:

1. Shift Away from Tradition: Relying solely on traditional outreach programs may not yield different results. A new approach is needed.
2. Foster New Capabilities: Creating a safe behavior and culture program requires new capabilities that adapt to a changing context.
3. Measure What Matters: Developing metrics that accurately measure behavioral outcomes is critical to success.
4. Simplify Security: Reduces obstacles associated with security controls, making security measures a natural and easy way to work

In-depth Gartner Research

For those wanting to understand the future of security awareness better, Gartner offers several research resources:

• "Innovation Insight on Security Behavior and Culture Program Capabilities"
• "Security Awareness Efforts Fall Short! Now What? (Survey Results Analysis)"
• "Build a Culture of Security Consciousness: Introducing the Gartner PIPE Framework"
• "Use Behavioral Economics to Influence Security Behavior and Individual Decisions"
• "Infographic: How to Drive Secure Behavior When Security Awareness Falls Short"

The traditional era of security awareness has come under scrutiny, prompting organizations to redefine their strategy. Businesses are better positioned to meet cybersecurity challenges in an ever-changing digital landscape by applying behavioral science, new capabilities, and results-based metrics. The way forward requires adaptability and innovation, ensuring a safer digital future for all.

Keepnet’s Human Risk Management Platform

Keepnet offers a comprehensive suite of tools designed to address the human element of cybersecurity. Explore their range of products:

• Phishing Simulator: Test and educate your employees on the dangers of phishing attacks.
• Vishing Simulation: Train your staff against voice phishing or "vishing" attempts.
• Smishing Simulation: Evaluate and train your team against SMS-based phishing or "smishing" threats.
• MFA Phishing Simulation: Test the resilience of your multi-factor authentication processes against phishing attempts.
• Security Awareness Training: A platform for continuous cybersecurity education and awareness.
• Phishing Analysis and Response: Quickly respond to and manage security incidents.
• Threat Intelligence Sharing: Collaborate and share threat intelligence with peers and partners.
• Breached Account Checker: Stay updated with the latest threats and vulnerabilities that are related to breached accounts on the dark & deep web,
• Breach and Attack Simulator: Assess the resilience of your email infrastructure against cyber threats. and fix misconfigurations.

Manage Your Human Risk with Expert Guidance!

Navigating the complexities of human risk in cybersecurity can be challenging. Let our experts show you how we can help. Schedule a personalized one-to-one demo call today and take the first step towards a safer, more secure organization.

Editor's Note: This blog was updated on February 6, 2025.