Behavior Change: “Think before You Click”

Petroleum Engineering (PE) accomplished a remarkable achievement in changing their employees’ cybersecurity behavior through leadership, engagement, and successful partnership.

PE is one of the key organizations in the company that handles a large amount of sensitive information related to reserves, future expansion plans, and other critical oil and gas information, which mandates extra information protection measures and controls.

Starting in 2019 — with high employee phishing email failures — PE set a goal to change their employee’s behavior. This goal was achieved through cybersecurity awareness programs and through collaborating with the Information Security Department, and the Cybersecurity Behavior Management and Awareness Team, to disseminate cybersecurity awareness through different approaches, and to appeal to different types of audiences within PE. Teams were set up within each department who translated the technical information into messages that all PE users could relate to.

PE professionals were at the center of this success. Their reception of the awareness materials and through their understanding of the impact on Saudi Aramco of failing to adhere to cybersecurity measures, they were able to apply a simple technique “Think before You Click,” resulting in true behavior change.

Currently, the percentage of phishing failures and information data leakage in PE is rated as one of the lowest in the company, as well as being rated one of the best in data classification within the company. The percentage of users clicking on suspicious links decreased, achieving one of the lowest rates corporatewide — less than .5%. Additionally, their exerted efforts resulted in enhanced positive cybersecurity behavior, which reached 80%.

PE will continue its efforts in further elevating the cybersecurity culture. This is truly a successful model that can be followed by other organizations in Aramco to improve its cybersecurity and protect its assets.