Rethinking the Human Factor in Security Awareness: moving employees from a “Have-To” to a “Want-To” Mindset
Why we need to rethink the human factor
As organizations begin to understand that security is everyone’s understanding, cybersecurity culture has been a prominent topic of discussion in recent years. The recent growth of remote working has also increased the need for organizations to ensure that employees make security a priority and take this shared responsibility seriously, no matter where they are.
Unfortunately, the transition has not always been easy. Current approaches to developing and delivering training and awareness are not a guaranteed antidote to achieve enduring changes in security behaviors and culture. Podcast host and author of “Rethinking the Human Factor,” Bruce Hallas joined the Infosec Inspire Cyber Skills Summit to share a new view — based on behavioral science, data and real-world successes surrounding us — to meet the challenge of empowering the human factor.
Speak a cybersecurity language everyone understands
After working with board-level executives in finance, legal and beyond, Bruce picked up on a critical skill: speaking the cybersecurity language in a dialect that business teams understand. Cybersecurity teams often struggle with a lack of understanding and ultimate support from critical stakeholders, due to disconnects in communication. Though the groups typically have a common goal to run a solid business and drive revenue up, the role that cybersecurity plays in that goal is often overshadowed by technical jargon, intimidating processes and rigid policies that seem to require a translator.
Bruce was able to overcome this challenge by helping stakeholders across the business understand how cybersecurity related to them and why they should take an interest. “I was speaking a language they hadn’t been trained on,” he said. “This is a really powerful tool for all IT managers. I would work with users to help them understand what information security means from an IT perspective and translate that into meaningful benefits for the business.”
Influence the critical shift from a “have-to” culture to a “want-to” culture
Most organizations start their security journeys by focusing on compliance and enforcement. There are policies. There are annual training requirements. And finally, there are consequences and penalties for not complying.
This tactic leads to a “have-to” culture. Policy, for example, spells out what people should do to remain secure. Yet there is still a recurring problem when it comes to adherence to policy, no matter how much organizations invest in technology and other solutions.
Where security is truly engrained in organizations is when they can shift to a “want-to” culture, where people are motivated to care about security without being driven by mandates and consequences. After looking into the science behind human behavior, including concepts like nudge theory and behavioral sciences, many lessons can be gathered to help make this shift.
The first is a common misconception: if you share plenty of information and resources with people, they will all process and apply the data to their behaviors in the same way. This, however, is not the reality. Everyone’s logic varies, and people tend to make decisions subconsciously with the reactive side of the brain instead of the more logical side.
A pivotal secret to shifting behavior so that people react with logic is social influence. When people see what folks around them are doing or not doing, they tend to follow suit. This was made evident during an effort to collect several million dollars in unpaid taxes in Europe. By communicating what percentage of people within a specific postal code had paid their taxes on time, the team was able to influence more people in that region to pay their taxes.
The same can apply to cybersecurity. Remind users of what their peers and others are doing when it comes to security. Whether it’s sharing how different departments are faring when it comes to training completion or looking at who has the best phishing campaign score, sharing how others are performing is a low-cost, low-risk way to influence behavioral change.
Integrate cyber culture into your business culture
It’s clear that culture plays a critical role in addressing the human element of cybersecurity. Organizations often ask, “How can we build a strong cybersecurity culture?” However, a few thought-provoking questions that these organizations should consider are: “How does my security culture relate to my overall business culture? Do you want to have one versus the other? How can we marry the two?”
Since cybersecurity is everyone’s responsibility and culture is based on organizational values, healthy behavioral change occurs more naturally when the two are intertwined. Those values ultimately drive decisions at all levels of the organization and, as such, security should align with the organizational values and be incorporated in the everyday way of working.
To put this into practice, start having conversations with your board and senior leadership on how cybersecurity contributes to the success and resilience of your organization. Bruce said, “Part of that is about reinforcing the values that the board has. When you’re supporting them and their values, you’re much more likely to get buy-in.” Since stakeholder buy-in is foundational in strengthening cybersecurity culture, board engagement is a good place to start.
The big takeaways
The biggest lesson from our conversation with Bruce is the importance of shifting from a “have-to” culture to a “want-to” culture. Do this by influencing behavioral changes across the organization. As a next step, think about the capacity that you have to understand the current culture and the desired state. Finally, create a framework that will help the organization achieve the desired results.
Check out the full video here: