Why disciplining human error doesn’t work when it comes to cyber security

Blog image

CybSafe

We are CybSafe. We’re a British cyber security and data analytics company.

June 1, 2021

Nobody likes being punished. So why are we so quick to punish those who fall victim to cyber-attacks?

A recent study by CybSafe found 4 in 10 organisations choose to discipline staff who make cyber security errors. There’s no doubt we need to respond when such incidents occur. But is disciplining employees really the best way to go?

 

How we respond

Our research found organisations discipline those who make cyber security blunders in many ways. The most popular response is to inform their line manager. Others opt to make people re-sit their e-learning.

But there are some more extreme responses. These include decreasing an employee’s access to certain documents, or locking their computer. It can even involve naming and shaming!

These responses differ in severity, but all seek to achieve the same end: correcting behaviour via discipline. We all want to help people avoid making these mistakes. But going down the disciplinary route is not just unnecessary. It’s counterproductive.

 

Why discipline doesn’t work

We all know about the carrot and stick approach. When it comes to cyber security, a positive incentive is far more effective than a threat.

The carrot can be anything from praise to prizes. It creates enthusiasm and helps everyone fight from the same side. The stick approach can do the opposite. Most organisations assume this to be a formal response, such as disciplinary action. But these penalties can also be informal. Examples include having leaderboards or general social disapproval.

Both types create a culture of fear. This triggers stress for employees and fosters resentment towards security teams. If you need to rely on fear as a motivator, then you are doing something wrong.

Let’s look at phishing simulations as an example. It’s not a level playing field, and any one of us can fall for a phishing attack. Simulations can be useful in helping employees understand their own susceptibility.

However, some organisations have an over-reliance on these simulations. They focus too much on the metrics, rather than actually changing behaviour. We call these ‘Vanity metrics’. They measure the quality of the simulation, not its impact on behaviour.

 

Shaping a better culture

If discipline isn’t the answer, then what is?

Mistakes are often down to human error. They are unintentional and without malice. Our instinct is to click links, and such habits are difficult to shake off. We are all susceptible, no matter how prepared we think we are.

With this in mind, it’s important to create a people-centric culture. Not because we’re naïve or idealistic, but because it’s the most effective way to manage cyber risk. A culture of fear increases anxiety and decreases productivity. It has a negative impact on our mental wellbeing. This makes us more vulnerable to cyber threats, and less likely to report them when they occur.

We’re all on the same side. So let’s support each other when faced with cyber threats. ‘Assist’, part of CybSafe Connect App, gives employees the help they need when they need it most. If an employee encounters a suspicious email or a questionable link, they can access security advice on demand. It helps build a culture where we can be honest about our security behaviours, and supportive in helping each-other respond to threats in the best way.

Let’s create an environment where we can support each other against cyber threats.

Try it yourself or see it in action