Mark Brown, Founder of Psybersafe, explores how behavioural science can improve our response to cyber security issues
Most learning and development professionals would say that training has been transformed in the past 10-15 years and I’d agree with them that the general methods of delivering training have certainly improved: the advent of e-learning, hybrid training and online courses has definitely made the process of training more flexible. It may even have had a hand in more SMEs putting training higher up their list. But for training where actual behaviours need to change, I feel strongly that most training – certainly in my sector, cyber security, just isn’t enough.
October is Cyber Security Awareness Month – a time for businesses to take a step back and see if they really are doing all they can to keep cybercriminals at bay. And this is a critical area of your business where failure to act means your data, records and perhaps entire business could be at risk.
90% of successful cyber attacks are down to people, not systems
How much have you invested in sophisticated IT, dedicated firewalls, tests on your systems and new technology? It’s almost certainly considerably more than you have spent on cyber training for your employees. And yet, the vast majority of successful attacks are down to human error – not failing firewalls or old IT systems. That’s according to official statistics released by the Department for Digital, Culture, Media & Sport in 2020.
Just telling your people to use stronger passwords, look out for suspicious links and check emails from new contacts isn’t enough. That’s because our brains naturally take the easy route every time, rather than stepping back, considering and acting differently.
In order to truly make your people the first line of defence, you need to change the way they behave. And this is even more important now that many companies are embracing hybrid and Bring Your Own Device working – this potentially creates holes in your security, and loses some of the psychological signals that make employees more security-aware – so it’s actually critical that managers introduce behaviour-changing cyber training sooner rather than later.”
Why should we base training on psychology?
The more we understand how people ‘work’, the more useful and compelling training can be. Practice makes perfect isn’t just a cliché; it’s how teaching and training works.
And yet, in most corporate training, the opportunities to ‘do’ are limited, if available at all – it’s mostly just the exchange of information, and that’s just not enough to make a positive difference to the way people behave. There are various models of behavioural science, such as the COM-B model developed by the University College London’s Centre for Behaviour Change. Models like this show us that the only way to change the way people behave is to get them to a place where new, good behaviours have taken the place of the less desirable, old behaviours.
Cyber security – behaviours matter
The psychological approach to training is particularly important in cyber security because it’s our inherent ‘laziness’ and practised habits of doing things like opening emails and clicking links that give the cybercriminals a way in. In fact, they focus on exploiting those weaknesses precisely because they know it works.
So, we need to find a way to change these behaviours to keep criminals out. For example, we’re all pretty good at keeping our homes safe: making sure windows and doors are shut and locked, checking who’s ringing the doorbell or coming up the path. It’s the same online – we just need to get into the habit of doing it.
It’s not a ‘tick box’ exercise
I’ve heard from lots of managers who have said that they did some short cyber training because they needed to ‘tick the box’. Looking at cyber security training in this way is potentially damaging to your business. It’s actually one of the key areas where changing behaviours can save your business from financial and reputational ruin.
It makes sense for businesses to invest in better cyber security training alongside any cyber security technology and to make sure that training effectively becomes part of your culture. That is the only way that you will truly beat the hackers.
Editor's Recommended Articles
Must Read >> Creating a cybersecurity risk assessment