Here’s an interesting conundrum for cyber security professionals.
Some simulated attacks reduce human cyber risk.
Others, however, have no effect on risk – and may even have a negative impact.
Even more perplexing: an identical course of simulated attacks can have conflicting effects on your human cyber risk.
Why is it, when some simulated attacks help reduce cyber risk, others are, at best, a waste of mental bandwidth?
Economic incentives and human behaviour
Although the above seems implausible at first, this recent risk reduction blog post helps explain what might be going on.
The post, recently published on the CybSafe blog, highlights how and why financial rewards do little to encourage secure behaviours. Equally, it highlights how and why people continue to take security shortcuts, even when the risks and punishments for doing so rise.
As behavioural science consistently shows, traditional economic incentives are sometimes just too feeble to re-route the juggernaut that is a deep-seated human behaviour.
Simulated attacks alone are redundant
Simulated attacks are focused on affecting behaviour. Phishing simulations, USB drops, smishing trials; they all reveal how people respond to cyber threats. CySafe’s intelligent simulations even reveal why people respond in the ways they do.
Alone, though, even intelligent simulated attacks cannot reduce your human cyber risk. To reduce your human cyber risk, the attacks must be paired with appropriate security interventions. And it’s these interventions that are all important.
If security interventions, for example, take the form of a bland financial reward for spotting simulated attacks, so what? Research suggests the rewards will do little to influence how many security rules people sidestep as time goes on.
If security interventions “punish” those who fail to spot simulated attacks, we can expect a toxic culture to emerge. We can’t, however, expect a lasting decrease in human cyber risk.
It’s not the simulated attacks alone that influence cyber risk. Rather, it’s the combination of simulated attacks and what follows that can reduce your cyber risk.
Get it wrong and simulated attacks become completely ineffective.
Combining attacks with appropriate interventions
In his research on “cheating” (or, in the world of security, “knowingly breaking security rules”) Professor Dan Ariely shows how human behaviour is far more likely to be influenced by an internal moral compass than by money, risk or fear of punishment.
The research explains why pairing simulated attacks with personalised security awareness training on how a breach could impact friends and family usually demonstrably reduces human cyber risk.
It also explains why pairing simulated attacks with generic tick-box security awareness training is almost always redundant.
It’s campaigns like the former that we champion through CybSafe.
And it’s campaigns like the latter that we actively stand against.
The wrong interventions at play today
The news that rewards and punishments don’t seem to affect people’s willingness to bend the rules are particularly important when you consider as many as 31% of people involved in data breaches are dismissed.
Such “interventions” promote a culture of hostility, fear and resentment. And yet they do nothing to reduce an organisation’s cyber risk.
As CISOs and security professionals, our single-minded goal must be to reduce cyber risk.
It’s time we started focusing single-mindedly on our goal.