Cyber Security as a Behavioural Science: Part 4
There is much information online about human behaviour and cyber security and it is easy to get lost. So, I decided to write a short series of posts on cyber security as a behavioural science (#cybersecasbehavioralscience). In Part 1 of these series we have explored why we should worry about behavioural aspects of cyber security. In Part 2, we considered why people take risks online, what behaviours they perceive as being more risky, and how we can measure risk taking behaviour in cyber spaces. Part 3 tried to understand why some businesses do not take cyber security seriously. Today we will talk about organisational cyber security mindsets and whether and to what extent the current COVID-19 outbreak crisis can give us an opportunity to shift these mindsets.
Organisational Culture and Cyber Security
In November 2019, the International Journal of Human-Computer Studies published a research article by Verena Zimmermann (TU Darmstadt) and Karen Renaud (Abertay University & University of South Africa) titled Moving from a ‘Human-as-problem” to a ‘Human-as-solution” Cybersecurity Mindset. The article is brilliant in many ways, but, possibly, its main value is that it has outlined the need for behavioural change within business organisations - specifically, the need for change in the internal cyber security culture. Zimmermann and Renaud argued that most organisations have the wrong mindset when cyber security is concerned - i.e., they tend to treat every human as a potential problem.
Human-as-a-Problem versus Human as a Solution
Source: Zimmermann, V., & Renaud, K. (2019). Moving from a ‘human-as-problem” to a ‘human-as-solution” cybersecurity mindset. International Journal of Human-Computer Studies, 131, 169-187; p. 174 and p.178
Therefore, instead of defining the cyber security systems, which take into account the needs, operational requirements, and innovative ideas of their staff, many organisations built restrictive sets of rules, excluding their employees from contributing to the formation of the cyber security culture. As a result, instead of feeling that cyber security is developed with them as an integral part of the process, employees observe cyber security happening to them as passive followers.
"Cyber Security, Differently"
Zimmermann and Renaud stress the need to shift from the way in which we do cyber security now to cyber security in the future by proposing the concept of "Cyber Security, Differently". The main difference between "Cyber Security, Currently" and "Cyber Security, Differently" is that organisations need to have open and inclusive cyber security culture, where everyone is invited to contribute to the way in which cyber security threats are identified, reported and dealt with.
Human-as-a-Problem versus Human-as-a-Solution Organisational Culture
Source: Zimmermann, V., & Renaud, K. (2019). Moving from a ‘human-as-problem” to a ‘human-as-solution” cybersecurity mindset. International Journal of Human-Computer Studies, 131, 169-187; p. 179
While the aforementioned article proposed a set of principles for achieving the shift from "human-as-a-problem" to "human-as-a-solution", last November, the authors were skeptical that the shift could happen quickly. Rather, they expected it to be a long and rather painful evolutionary process. Why would that be the case?
Trust and Vulnerability
One of the main behavioural reasons for the "Cybersecurity, Currently" mindset to prevail is the fundamental lack of trust within organisations. Indeed, the current cybersecurity systems (with a handful of minor exceptions) are built in such a way that highlights the level of organisational mistrust towards employees. Consider these simple facts: according to the Cyber Security Breaches Survey 2019, in the UK approximately 1/3 of all businesses experienced a cyber attack in 2019; with the frequency of attacks on medium and large businesses being a lot higher (60% and 61%, respectively). 80% of these attacks employed social engineering techniques, which were enabled through phishing. Yet, only 27% of businesses in the UK have developed comprehensive cyber security training programs, which means that in the vast majority of organisations, people do not even have an opportunity to think about cyber security issues, let alone voice their opinions about these issues. As a result, organisational mistrust towards employees' ability to comprehend and contribute to cyber security discussions, makes them extremely vulnerable, causing an erosion of employees' trust toward organisations they work for.
It seems that now, with the majority of employees forced to work from home, we have a unique opportunity to catalyse the shift in organisational cyber security culture. When your employees are working remotely, it is necessary to trust them, as a lot of what is going on in households behind the closed doors cannot be controlled externally. Many organisations do not have capacity to sustain secure access rules and compliance regulations at the pre-COVID-19 levels. Under these circumstances, some restrictive rules will inadvertently be relaxed as business survival in many industries will depend on (i) the level of flexibility, which businesses are willing to adopt as well as on (ii) the desire and willingness of businesses to allow their employees innovate and contribute to cyber security discussions.
The current COVID-19 crisis poses many challenges for cyber security of businesses around the globe. Yet, at the same time, it offers a very rare opportunity to change otherwise rigid organisational cultures from treating people as problems to opening opportunities for them to become solutions. I very much hope that we are not going to miss this opportunity.
#humanasaproblem #humanasasolution #cyberculture #cybersecurity #cyberrisks #cyberthreats #datasecurity #cyberattack #hacking #risk #infosec #security #ransomware #phishing #dataprotection #informationsecurity