The Cyber Approach To Learning
The Cyber Academy offers vibrant, engaging eLearning experiences.
Research has consistently shown that the predominant Achilles heel in cyber security is human behaviour, rather than any weak spots in the technology designed to protect them. There is therefore a growing call amongst cyber security experts to ‘humanize’ what has traditionally been seen as a technical problem that requires a technical solution. Rather, while cyber security is a systemic issue which involves the elements of, and relationships between people, processes and technology, it is the focus on people which is becoming widely accepted as the most critical feature of cyber security.
It is the acknowledgement of this key role of human behaviour that spawned the mushrooming of social engineering, which has set its sights on people as the weakest link in the interdependent elements of people, process and technology.
To establish a defence against a people centred attack, a people centred cyber security strategy is therefore required. In looking for solutions, behavioural economics has been recognised as providing a rich font of expertise into how behaviour can be modified or ‘nudged’ to enable people to protect themselves and their organisations against the burgeoning onslaught of cyber security attacks.
An underlying principle of behavioural economics is that people do not behave rationally, so while those who design the technology may feel the logic of their system provides a sufficiently obvious and compelling motivation for compliance, employees’ behaviour is motivated by many factors other than logic.
It is only through understanding and working with these competing motives and value systems that behavioural change can be achieved.
The philosophy behind the development of Cyber Postures is that specific facets of human behaviour need to be recognised and understood, in order to enable the development of an approach to cyber security that works with rather than against employees. Three key ways in which the assessment of Cyber Postures in an organisation enables the implementation of this approach, are described below.
1. CYBER POSTURES ENABLE TAILORING OF A HOLISTIC CYBER SECURITY SYSTEM TO INDIVIDUAL AND ORGANISATIONAL PROFILES
Cyber Postures provide insight into each individual’s dominant behavioural style with regard to the key behavioural risk factors highlighted by a number of research studies. While different terminology such as agreeableness and conscientiousness are used in the research, in the Cyber Postures these behaviours are framed as guardedness and attention to detail, as these terms are not particularly negative or positive in themselves.
Cyber postures therefore provide an indication of the individual’s natural inclination towards more risky behaviour. If a system is designed without taking cognisance of the user, compliance is less likely. Cyber Postures therefore enable insight into employees’ behavioural tendencies, allowing systems to be designed to optimise compliance, to shape higher risk behaviours into lower risk behaviours or protect employees against their own sources of vulnerability.
All elements of a holistic cyber security system, including technology, policies, training and communications can be tailored to suit the specific risk profiles and address the vulnerabilities of employees.
A fundamental tactic in the humanising of cyber security is to communicate in language that is people centred rather than technology centred. As it is employees’ personal behavioural styles, captured in Cyber Postures, that may make them vulnerable to different types of cyber threats, these insights into the personal behaviours of the intended audience enables the language to be framed in ways to which employees will relate. For employees, the use of more personal language when referring to matters of cyber security and their relationship with it, transforms the perception of cyber security from that of a technical issue that the IT department must address into one for which they must take personal accountability.
2. COMPLETING A CYBER POSTURE QUESTIONNAIRE AND RECEIVING FEEDBACK FACILITATES EMPLOYEE ENGAGEMENT IN CYBER SECURITY
Behavioural economists have found that more effort leads to greater connection and engagement. Taking the time and making the effort to reflect on their own behaviour, complete the questionnaire and read the feedback on their own Cyber Posture, is highly conducive to encouraging employees to engage more and take greater ownership of matters related to cyber security.
Cyber Postures also draw on the natural human affinity for self reflection. This in itself serves to facilitate engagement. In addition, Cyber Postures lend personal relevance to the issue of cyber security and allows employees to reflect on their own behavioural tendencies that may make them vulnerable to a cyber attack. Such reflection leads to greater awareness and subsequently, vigilance of potential threats. When people are alerted to their own vulnerability, they are better able and likely to monitor their own potentially risky behaviour.
3. CYBER POSTURES PREDICT POTENTIAL FUTURE RISK BASED ON STABLE PERSONAL BEHAVIOURAL TENDENCIES
As Cyber Postures are based on stable behavioural tendencies that are rooted in individuals’ values and cognitive styles, they can be used to predict vulnerability to future attacks. Using the individual Cyber Postures, potential future risks can also be predicted at a departmental or business unit level, and and organisational level.
Using these insights, cyber security systems can be designed to be ever evolving systems that stay one step ahead of hackers by matching protective mechanisms and interventions with emerging social engineering trends and activities.