Empathy is a Cybersecurity Necessity
Earlier this year Facebook’s Chief Security Officer, Alex Stamos, courted controversy when he criticized the cybersecurity industry for a lack of empathy. The security community, he said, must take a more people-centric approach in developing technologies that can be more easily used in a secure manner.
This lack of human understanding is endemic in cybersecurity. Many organizations continue to see cyber-threats as solely technological in nature and consequently respond by investing in technical controls only. Meanwhile, little is done to raise cybersecurity awareness or promote safe online behaviors, as it is common for non-technical employees to be looked down upon as “buggy” and unfixable.
According to a recent UK government cybersecurity survey, 40% of large organizations don’t train employees on cybersecurity best practices. This overreliance on technology for cybersecurity is patently wrong and is demonstrated by the increasing number of security breaches caused by human failure.
Even where an organization does make efforts to raises staff awareness of cybersecurity, they frequently take the form of routine, tick-box training programs, which lack the human understanding necessary to promote safe cybersecurity practices.
High-quality cybersecurity training is the quickest and most cost-efficient strategy for an organization to improve cyber resilience.
Employee education reduces the risk of human error, which according to recent scientific research is responsible for nearly 25% of all cybersecurity failures. It also brings employees into the defensive fold by arming them with the knowledge they need to actively detect and respond to security breaches. For example, the 2016 cyber-heist of Bangladesh Central Bank was first noticed by a vigilant employee who spotted a typo in a wire transfer. This “human breach detector” ultimately saved the bank over one billion dollars.
However, to reap these rewards, we need to fundamentally change how we address the human aspect of cybersecurity. We need to show more empathy for people by demonstrating a deeper understanding of human motivation, by making training more accessible and personalized. Furthermore, to fully leverage the security value that knowledgeable employees can add, we need to open-up direct lines of communication between non-technical staff and those responsible for cybersecurity. It must be as easy as possible for employees at the coalface to provide the ground-up intelligence necessary for organizations to improve cyber defenses from within.
Make it Intrinsically Motivating
Many organizations and training vendors assume that workers will act in accordance with cybersecurity best practices solely because it benefits their employers to do so. This is not the case.
To effectively motivate people to adopt cybersecurity best practices, organizations must align personal and business objectives so that cognitive dissonance is minimized. This psychological phenomenon is the internal conflict that people experience when we behave in a way that is contrary to what we believe. It is why we are recalcitrant and reluctant when we are forced to do something that we believe is pointless and a waste of time.
By showing people that behaving safely online not only protects them professionally but also personally, this internal conflict will be reduced and people will be more motivated to learn.
Make it Convenient
According to Basex, two out of three workers feel that they don’t have enough time to get their work done. While Gallop research suggests that people have as little as 1% of their working week to focus on learning and development.
Learners are overwhelmed. There is so much content and so little time.
Empathetic cybersecurity training takes this into account by providing on-demand content in bite-sized chunks. This enables employees to take advantage of the downtime between meetings and other work commitments to build knowledge and skills in small segments.
Convenience is further enhanced when learning is accessible via mobile devices, as this allows people to study while traveling or away from the office.
Different individuals and groups will be subject to different cyber threats. The C-Suite for example are more at risk to “whaling” attacks than rank and file staff, while healthcare employees are more at risk to ransomware than those within the construction industry. Therefore, the first step in personalizing training programs is to provide content that is specific to role, industry and location.
The next step is to personalize training based on learning styles and proficiency. Everybody learns differently, some people like to watch, others like to listen, some like to learn while traveling while others prefer to study at their desktop computers.
Likewise, individual employees will have different levels of knowledge and skills. For example, an employee may have detailed knowledge on phishing emails, but does not know how to respond in the event of a security breach. Alternatively, another employee may know what to do after a security breach occurs, but is completely unaware of the security issues when connecting to public WiFi.
Until recently, customizing learning to a person’s needs was the stuff of science fiction. However, advancements in Data Science have made personalized training a reality. Intuition, for example, has partnered with CybSafe to deliver an intelligent cybersecurity software solution that learns as the learner learns. This data-driven training and awareness platform tracks a wide range of user behaviors and continually customizes how training is presented, making it most appropriate for people to be able to assimilate, thereby increasing the likelihood of positive behavior change.
For people to be fully integrated into the cyber defensive fold and become another layer of security by detecting and responding to threats, we need to open effective channels of security-specific communication.
One example is a one-click report button that integrates with email applications and allows users to immediately report suspect emails. Another possible solution is a dedicated instant messaging line that allows users to communicate directly with their IT security team.
By inviting, listening and responding to feedback, organizations can identify the root causes of unsafe cybersecurity behaviors. For example, end-users might find it too difficult to access internal systems and consequently turn to unapproved cloud services to get their jobs done. The removal of security barriers such as this is an important step in promoting safe cybersecurity practices.
Organizations who gather ground-up intelligence also improve their capacity to detect and respond to attacks by leveraging the sensory abilities of each individual employee to create a “neural safety net”. This as we saw with the Bangladesh Central Bank can be massively beneficial.
The establishment of efficient security-specific communications between end-users and security professionals along with effective employee education can transform people from the weakest link in the security chain into the first line of defense.
Good cybersecurity is about people and technology working together in unison to reduce cyber risk. However, for this to happen, organizations need to show empathy not only in how they make technology but also in how they train and equip their employees to respond to cyber-threats. For if, we become more attentive to the needs of people, they will in turn show greater care for the protection of our digital assets. That way, everybody wins.
Intuition – Securing Your Company Culture
Intuition is a leading knowledge solutions company. We work with our clients to reduce cyber risk exposure through unrivaled employee education.
Our holistic approach to the human aspect of cybersecurity includes training solutions for both software developers and non-technical staff, so that your organization can make and use technology in a safe and secure manner.