To understand why it might be impossible to reduce human cyber risk without a secure culture, it’s worth considering a series of experiments from the world of behavioural science.
The experiments weren’t designed to uncover security insights. Rather, they were designed to demonstrate quirks in human behaviour. Specifically, they were designed to reveal why people sometimes “cheat”.
In one of the experiments, researchers asked participants to solve a series of 20 simple maths problems under impossible time constraints, rewarding participants financially for every problem they solved.
When the researchers marked participants’ work, participants solved, on average, 4 problems. But when participants were left to grade their own work?
The number crept up.
When participants had the option to cheat, they solved, on average, 3 additional problems – and researchers did not find that some people cheated a lot and others not at all.
Instead, most people cheated just a little bit.
Have you spotted the implications for security just yet?
Economic incentives don’t always change behaviour
How, the researchers wondered, could levels of cheating be influenced?
By increasing the financial rewards on offer?
No. Increasing the financial incentive to cheat had no effect on the levels of cheating.
By reducing the likelihood of being caught, or the punishment for being caught?
Neither made any difference.
In fact, researchers found traditional economic incentives had no effect on levels of cheating whatsoever. Instead, they found that cheating could be decreased by asking people to recall the ten commandments or signing a code of honour. Going further, they found cheating could be increased by making the fact others were cheating clearly apparent.
In experiment after experiment, it seemed levels of cheating weren’t influenced by economic incentives. Instead, it seemed people’s ingrained moral codes were the driving force behind their eventual behaviours.
A secure culture: a prerequisite for risk reduction
Jumping back to the world of security, it doesn’t take much to see what the implications of the above experiments might be for security awareness training.
Every day, when people fire up their computers and come face to face with cyber risk, they face choices.
They can take their security awareness training into account, follow disseminated security procedures and behave in a secure manner. Or, in an effort to tackle their to-do lists, they can take the occasional shortcut.
They can ignore the odd security warning while in pursuit of the information they need. Or they can forego the use of processing-power-guzzling VPNs to increase connection speeds.
Increasing people’s knowledge of security risks – or even the size of the risks themselves – is unlikely to influence their choices. Increasing people’s economic incentive to behave in a secure manner, equally, is likely to do nothing.
What is likely to influence their behaviour is to appeal to their morality, and to demonstrate that their peers are taking secure decisions.
A secure culture, it seems, is more than just a powerful way to decrease cyber risk.
In the absence of a secure culture, cyber risk reduction could be impossible.
Why the human aspect of cyber security remains unaddressed
If it is in fact almost impossible to decrease cyber risk without building a secure culture, it would certainly explain a lot.
It would explain, for example, why the human aspect of cyber security is the one foundational pillar of cyber security that’s yet to be properly addressed.
It would explain why increasing investment in more of the same compliance-based, tick-box security awareness training is failing to make people a cyber defence.
It would also explain why a blame culture – ie, increasing the penalties for getting “caught” – does nothing to increase cyber resilience.
To all at CybSafe, the implications of such studies aren’t just interesting. They’re invaluable. Our platform fuses insights from psychology and behavioural science with artificial intelligence and data science to measure and advance security awareness, security behaviours and organisational culture in tandem, demonstrably reducing human cyber risk.
For too long, solutions designed to address the human aspect of cyber security have failed to reduce human cyber risk.
Isn’t it about time we changed our approach?