Using behavioural science to boost cyber security awareness


Given the advent of GDPR, as well as the pressures of reputational and financial damage after a breach, the human aspect of cyber security is now finally a board-level issue. But despite its higher place on the agenda, it’s still not something that C-suite executives are well equipped to deal with.

This is, in part, because cyber risk has historically been hard to measure. How do you quantify the risk of an individual or a group of individuals, without even mentioning malicious insiders here? Do training and awareness programmes even work? How do you track return-on-investment? How do you know if your measures are actually reducing risk?

Boards are also hesitant because members may feel they lack the skills, time and dedicated resources to commit. Awareness programmes, which cost money, often come with no discernible return, and they can also be seen to take employees away from their jobs.

Moreover, those with an ongoing programme in place have found the impact underwhelming, with research finding only 15% of such programmes report heightened levels of awareness and positive behaviour changes they aspired for.

Poor attention spans are to blame for ineffective training

This is all unfortunate, but hardly unsurprising, given the way most businesses feel about helping their staff. Traditional people-focused cyber security programmes are resource-intensive, out-of-touch with what staff really care about, and too tedious for them to digest. Poor engagement is the bane of most awareness programs.

A single, year-long training programme is still the first choice for many. The content can be so overwhelming that an organisation may lose users just a few minutes into a session. The audience will start to daydream, and check their phones, or they’ll be getting on with other work on their laptops. Whatever little positive impact there is inevitably deteriorates over the course of the year as users forget what they’ve learnt.

Bulky training manuals, online guides, and best practice .pdfs are also commonplace. The expectation is that by providing staff with relevant information they’ll naturally absorb it. But most won’t be engaged enough to read through even a fraction of what's been provided, with those that do concentrate barely retaining this in the longer-term.

Even those who hang on won’t necessarily be able to act on it. Knowing how something works in theory is different to acting on it in a real-world context. The problem with traditional awareness programmes is there’s a limited chance for users to put what they know to the test. Quizzes can be helpful, but they don’t, as a matter of course, teach; they test. Learning by practice, by true-to-life experiences, is the key.

Organisations often find their awareness programs lacking, and wonder why they haven’t developed a stronger cyber security culture. The answer is quite simple: training that doesn’t take into account the behavioural science and educational theory of how and why people learn is never going to affect real change and improve an organisation's cyber security risk. And here’s where the channel opportunity lies.

Embracing psychology to meet a massive demand

Research has existed around what it takes to change behaviour, in terms of cyber security awareness, for more than thirty years, but it’s not something that has necessarily been acted upon. Research around learning and education has existed for at least seventy years, but this too has been dismissed in the cyber security awareness space because it’s either too difficult or costly to deliver.

While human-oriented cyber security awareness may not be a new phenomenon to either businesses or the channel, measurable science-and evidence-based solutions are. Applied to information security awareness, modern behavioural science and teaching techniques can provide immediate, tangible improvements and mitigate human cyber risk.

The opportunity is made yet more appealing given few businesses have such a solution in place. Research suggests that 70% of SME firms either don’t have cyber security awareness training or have ineffective programmes in place. Further, KPMG suggests that the majority of the FTSE 350 companies lack the board-level skills to address the issue.

And while our own research shows only 44% of IT decision-makers believe their business’ employees have the skills to prevent a cyber attack, the majority are worried about the threat of a cyber attack, losing money, and are more concerned now that GDPR has come into force.

The demand is there. Cyber risk reduction has never been such a hot topic, and although long overdue, solutions are being introduced that both work and augment technology products as well as expert consultancy. Programmes addressing the human aspect of cyber security fill a longstanding gap in most channel cyber security portfolios, largely playing off technological products.

Psychology is not a lost science, but the regard for it in the cyber security space has certainly been lost for the time being. This presents a sizeable opportunity for players in the channel market. After all, the human aspect of cyber security can be seen as the intersection of people, technology and information. Can you think of a business today that doesn’t have all three of these?

Mark Edge is Chief Revenue Officer at CybSafe