Are we missing the opportunity to empower and engage our teams and clients to spearhead our cyber security?
It’s a common misconception that cyber security is all about technology. Technology is obviously a massive part of cyber security, but alone it is not enough to protect us from modern cyber threats. Cybercriminals regularly exploit the human element and by focusing on changing people’s behaviour, cyber resilience can be achieved.
Since decades cybersecurity is described as a people, process and technology topic. While the process and technology angle is much better understood these days, many of us are still not feeling comfortable when it comes to people and human cyber risks. People can be internal & external team or customer and clients. We invest in training & awareness and fulfil this way our regulatory obligations. But do we achieve anything with these investments? Do we change the behaviours we want to address, and do we lower the human cyber risks with our investments?
Behaviour change is not easy and most training & awareness campaigns fail because they focus only on the symptoms while leaving the root cause (behaviours) aside. We humans are creatures of habits and influences and changing our behaviours is sometimes hard and complex. I strongly believe that tackling this challenge is absolutely worth it. In doing so we can empower our people to protect themselves online, offline, at home and at work and with this make this world a cyber safer place overall.
Why are we doing certain things? For example, why do people fall for a phishing attack?
To answer this question, we need to first look at the Capabilities of our people in scope. Is she/he capable and does she/he have the skills to fulfil a task? Things like creating a secure password, detect phishing indicators are to be considered for example. It becomes very obvious that such skills can be addressed with training and education.
The second element to look at is the environmental situation. Can she/he act in a secure manner? Does her work environment in the office or at home foster secure working? Does the person have to share an IT system? Is the social environment consisting of social and cultural influences on behaviour, such as social pressure from peer and management in the workplace or while working from home? That’s why people click on spear phishing attacks while put under time pressure?
The third element is about our motivation and how we take decisions. We all rely on hundreds of biases. They help us to speed up the vast array of information we process daily but at the same time they also often lead us to undesirable behaviours such as opening an attachment we know we shouldn’t or clicking on links instinctively. For example, we tend to listen to information that confirms our preconceptions – a shortcut referred to as confirmation bias.
If you want to better understand why your teams & clients do certain things and ensure that your remediation & education investments in human cyber risks pay off, you need to start focusing on all three elements mentioned before. We here at cybovate can help you to get an understanding (step 1), the appropriate solution design (step 2) and the recurring measurement (step 3) right at the first place ensuring that you address the behaviours you want to address with the result to lover your human cyber risk exposure.
Value Architect | World Agility Forum Winner (2020 and 2021)
3 年One of the things I often talk about when discussing agile implementations is that many agile frameworks enable more risk management than traditional management frameworks. Agile teams openly identify risks and then ROAM (resolved, owned, accepted, mitigated) - they truly live the 1st line of defence which is often so hard to embed
Financial services program, project and information security management, bringing BTSR to live (BTSR = business, technology and security requirements)
3 年Maybe we need to think outside the box, literally:) Reward users who spend time offline every so x (hrs, mins, etc.). On one hand, going offline keeps us all ultimately cybersecure, we hope; on the other hand, stop and reset and then go back online with a fresh perspective might be the ultimate way of reinforcing cyber awareness.
Fear of something happening in the future - especially with a small percentage risk of hurting ourselves - isn't a good trigger to get humans going. (See club of Rome reports from 1972 on climate change ... we still ignore that we can do something.) I had a discussion this weekend about this. When people don't understand the complexity of cause, effects and consequences and how their part makes a difference, they do not act, unless ... it becomes REALLY EASY, FAST rather than time-consuming, they SAVE MONEY, rather than having to spend more, and they are NOT ALONE ... eg they see others do it as well. Doing things together, learning from each other, developing competences together is definately a boost!
MBA,Business Coach on Sustainable Leadership,CEO Matrix Consulting,Agile Coach,ICF Mentor Coach, Mastery Skills Trainer, Accredited Coaching Supervisor, Certified Executive and Team Coach
3 年I used run an operational risk training that explains risk and helps the people analyse risk points in their operational processes especially after a go live date. It's amazing how powerful it is to feel uncomfortable in a process. Because the uncomfortable feeling could be a process risk point. A place where something is not working. And I find it so interesting how this perspective is not understood. Human behaviour is a blessing to have when automating. What do you think?