News Advisory: 15. June 2016

Hewlett Packard Enterprise sets the framework for progressive engagement of staff in cybersecurity

LONDON – June 14, 2016 – Today Hewlett Packard Enterprise (HPE) announced the release of the “Awareness Is Only The First Step” business whitepaper, which outlines the framework and steps that organisations need to take to engage employees in effective internal cybersecurity practices. The whitepaper is published in collaboration with the Research Institute in Science of Cyber Security (RISCS) at University College London (UCL) and the UK government’s National Technical Authority for Information Assurance (CESG).

While security communication, education, and training is meant to align employee behavior with the security goals of the organisation, it is not always designed in a way that can achieve this. As a result, senior management does not know if recommended security behavior is actually followed in practice by all staff. The root cause of this disconnect is that businesses do not know how to engage their employees for the long term; they end up using tick-box exercises, which result in employees retaining little knowledge rather than the desired goal of achieving improved security.

Building a cyber resilient workforce is the cornerstone to a comprehensive and future-proof cybersecurity organisation,” said Andrzej Kawalec, Security Services CTO, Hewlett Packard Enterprise. “Digital adoption impacts businesses and individuals in varied ways, and users remain the first line of defense when faced with a dynamic and relentless threat environment.

"Many companies think that setting up web-based training packages are a cost-effective way of influencing staff behavior and achieving compliance, but research has provided clear evidence that this is not effective - rather, many staff resent it and suffer from 'compliance fatigue'” said Professor M. Angela Sasse, FREng, Director, UK Research Institute in Science of Cyber Security (RISCS), UCL. “In this whitepaper, we outline a human-centric approach to genuinely engaging your staff in cybersecurity and building their competence.

HPE together with UCL and CESG, developed this whitepaper to help organisations establish a framework for security awareness that will empower employees to become the strongest link—rather than a vulnerability—in defending the organisation. Key findings for developing a strong employee program include:

A combination of communication, education and training (CET) activities can build greater security awareness and lasting behavior change. However, each organization must identify areas of improvement and take baseline measurements before implementing any CET measures to better understand the current security company culture.
Remove impossible security tasks as part of an essential security hygiene process. CET cannot compensate for security policies and implementations that are impossible to comply with.
Security awareness campaigns must be tailored, ongoing, and involved. Ideally employees will receive a skill set that helps them professionally and privately.
Balance prescriptiveness of policies and the practicality of enacting them. Too many policies can make the cost of compliance too high and limit productivity and adaptability. Consider where policies should be rules and where they should be guidelines.
Communicate the value. There is a personal cost to changing routine behaviors, so it is important to treat it as a value proposition, not a mandate.

"At CESG, we advise both organisations and Government on the challenges that their security practitioners face when it comes to security awareness. With this whitepaper we hope to give them a refreshing new way to approach the challenge of involving employees in order to create a more secure organisation, instead of simply implementing a one-size-fits-all approach", said Chris Ensor, Deputy Director at the National Technical Authority for Information Assurance.

Hewlett Packard Enterprise Cyber Reference Architecture
HPE operates its Cyber Reference Architecture to assist customers in logically assessing their security requirements in terms of the various components required and their external and inter-dependencies to create an effective and coherent security organisation.

In order to assist organisations in achieving lasting behavioral change, HPE provides consulting services in the areas of awareness and communication as part of its Cyber Reference Architecture.

About HPE SecurityHPE Security helps organizations protect their business-critical digital assets by building security into the fabric of the enterprise, detecting and responding to advanced threats, and safeguarding continuity and compliance to effectively mitigate risk. With an integrated suite of market-leading products, services, threat intelligence and security research, HPE Security empowers organizations to balance protection with innovation to keep pace with today’s idea economy. Find out more about HPE Security at

Join HPE Software on LinkedIn and follow @HPE_Software on Twitter. To learn more about HPE Enterprise Security products and services on Twitter, please follow @HPE_Security and join HPE Security on LinkedIn.

About HP Inc.

HP Inc. creates technology that makes life better for everyone, everywhere. Through our portfolio of printers, PCs, mobile devices, solutions, and services, we engineer experiences that amaze. More information about HP Inc. is available at

© 2016 HP Inc. The information contained herein is subject to change without notice. The only warranties for HP Inc. products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP Inc. shall not be liable for technical or editorial errors or omissions contained herein.