A follow-up to a previous post on harnessing the power of people in our fight against cybercrime
My previous article highlighted some interesting statistics
According to a Mozilla, 91% of people still “don’t know much about protecting themselves online.”
According to CyberEdge, employees cite “low security awareness” as their primary barrier to proper protection.
And according to Juniper, the costs of cybercrime are expected to hit $2.1 trillion by 2019 – up fourfold from 2015.
Together, all three highlight a crucial need to increase cybersecurity awareness and change the way people behave online. The question is, how might cybersecurity professionals achieve such an aim?
Accounting for psychology and the human factor
As the relatively young field of behavioural economics teaches us, at least part of the answer lies in accounting for human psychology.
By tapping into human psychology, we can take a fundamental leap towards increasing people’s awareness of pretty much anything – cyber security included.
We can use what academics reveal about human psychology to influence human behaviour and organisational culture, making people who might once have been considered to be a problem actually part of the solution.
As an example, cyber security awareness training might finally take steps to align personal and professional goals in an effort to ease what psychologists label “cognitive dissonance.” If you’re unfamiliar with the term, you’ll have no doubt suffered it at some point.
Cognitive dissonance is the mental stress we all suffer when we believe one thing but do something else entirely. It’s why we drag our heels and moan when facing “pointless” tasks: both are methods for dealing with our internal sense of dissatisfaction.
Cognitive dissonance might well be relevant when it comes to things like setting secure passwords. Should using a random string of capitals, lower case letters, symbols and numbers seem futile, people will continue to use “123456” – despite what they’ve been told through internal communications.
Tackling the full landscape of issues
An intelligent approach to cyber security awareness focuses on people as part of the solution, accounts for such oddities, and goes further still.
After baking psychology and behavioural science into its very core, it proceeds to analyse and tackle the full landscape of issues.
The people component of cyber security awareness needs to be addressed at at least three levels:
- At the user level. That is, quite simply, raising awareness to stop normal people acting against best practice, such as responding to simple spear phishing scams. Awareness programmes at the user level should aim to make the issue interesting and engaging – to eliminate inherent cognitive dissonance.
- At the co-ordination level. Resources and time are scarce. And, let’s face it, expertise is often scarcer still. Greater awareness amongst co-ordinators wrings more from cyber security awareness campaigns and taps into available expertise to make the coordinator’s job easier and more effective.
- At the decision making level. Decision makers hold the lion’s share of the cyber security risk and therefore the burden to act. They are the 20% with 80% of the power, to use the Pareto principle. Raising awareness at this level is key to fast, dramatic results. This requires the human component of cyber security to be presented as a risk that is understood.
A truly intelligent approach to cyber security takes all of the above into account whilst ensuring awareness programmes are measurable, deliver an ROI and benefit people personally as well as professionally. It would also incorporate the all-important supply chain too – noting that suppliers and third parties are often the most vulnerable part of an organisation’s security posture.
The way in which your suppliers reduce their people-related cyber risk will have a direct bearing on how vulnerable you are. Full stop.
Sadly, such an approach is very rarely – if ever – really pursued by the majority, many of whom still consider cyber security awareness as simply tick-box e-learning.
Taking a holistic approach
For the most part, today’s businesses have looked to technology to enhance cyber security – perhaps reasoning that a technological attack should be countered by a technological defence. Technological solutions certainly have merit. But when as many as three-quarters of all cyber attacks involve a human, a focus on technology alone can only get you so far.
Such stats are precisely why more and more businesses have started addressing impending cyber threats through the people they employ. It’s worth noting, though, that only focusing on people would be an equally dangerous move. It’s the combination of focus on people, process and technology that yields the greatest results and the most resilient cyber posture.
The interaction between these three components (people, process, technology) means cyber defences are not simply technical systems at all, but in fact socio-technical systems, working in harmony to achieve a common goal. Considering any single aspect of the system in isolation – will almost certainly lead to problems. Organisations must instead think about all three simultaneously when attempting to stay ahead.
If that all sounds complex, it’s often intuitive in practice.
Technology, for example, can be used to shape people’s attitudes and behaviour, making use of developments in analytics, AI and machine learning or cloud-based technology, to name but some examples. And that’s before we consider the importance of tactical controls, measures and functions that aid businesses during the Protect/Prevent, Detect and Respond stages.
What our industry should be striving towards
Marrying people, process and technology and combining them with an understanding and application of psychological and broader behavioural science theory is something few have done so far when it comes to cyber security. But this is what needs to be done if we are to harness the power of people in our fight against cybercrime.
It’s rare that an issue touches so many aspects of our lives – every business sector, anyone connected to the internet and most national security agendas. This highlights how pressing a concern cyber security has become.
However, delivering a calmer, distinctly different message to that of the startling news headlines is much more likely to forge the type of effective human connections cyber security professionals long for.
Finally, professionals, businesses, governments; everyone involved in the prevention of cybercrime must begin sharing and learning from each other.
What works well when it comes to helping people be more secure online?
What are the common barriers to adoption holding good cyber security practice back?
A decent cyber security awareness platform provides support to those charged with campaign delivery – and makes it easy for these co-ordinators to access feedback and insight.
Better still, it feeds key lessons back into the system and disseminates them automatically. This is what we, as an industry, need to be striving for.
Why we’ve still got some way to go
Psychology; human factors; culture; attitude; technology; people; process; decision-makers; co-ordinators; feedback and delivery.
The fact that we need to account for so much when thinking about raising cyber security awareness shows just how complex a topic it is. And why simple e-learning just won’t cut it. Maybe this is why we’ve still got some way to go.
By taking an intelligent approach, though, there’s little doubt that cyber security awareness can indeed be raised. With an approach that focuses properly on the people component rather than tick box e-learning for users, behaviour throughout an organisation can be changed and cyber risk can be reduced.
Armed with a holistic approach to cyber security awareness – one led by psychology and behavioural science theory, one fuelled by a better understanding of human and organisational factors and one that takes into account all of the above – people could finally take their place as part of the ultimate cyber defence.