A cybersecurity culture plays an important role in systematically building an organization’s cybersecurity capabilities, but it cannot be achieved overnight. Improving security culture must first dispel the myth that cybersecurity is a purely technical issue and provide people with clear guidance in a language and norms that are accessible and relevant to everyone. In the long run, organizations that help employees understand the psychological impact of cyberattacks will be more responsive to cybersecurity incidents. Mastering the psychology behind common cyberattacks, such as phishing, is one of the practical steps businesses can take to help improve their cybersecurity culture.
Cybersecurity Culture in Practice
We all know that a transparent, open and proactive cybersecurity culture will make businesses more resilient to evolving cyber threats by empowering people to make the right decisions. However, improving cybersecurity culture does not happen overnight.
In practice, this involves establishing a two-way dialogue with the business and its employees. For example, businesses need to open communication channels so that people can provide feedback on possible difficulties implementing policies or processes, rather than simply pushing security messages. It also means actively listening to their requests and taking action when appropriate.
Improving the cybersecurity culture must also include ensuring a people-centric approach to everything the cybersecurity team does. It’s not just about building people’s security awareness, it means that everyone on the cybersecurity team must act as a trusted advisor within the organization, rather than being seen as an outsider just overseeing compliance with cyber policy.
Building a cybersecurity culture also includes encouraging more cybersecurity ownership at all levels, especially if the company is a mid-sized or large organization with international offices around the globe. One way to do this is to build a global network of cybersecurity agents. These individuals can serve as advocates and/or ambassadors for cybersecurity best practices in their local offices and serve as liaisons to help others with related issues. They can also serve as a test group for any new initiatives that cybersecurity teams want to experiment with and provide valuable insight into what can and cannot be applied across the wider business.
Improving cybersecurity culture must also dismantle the myth that cybersecurity is a purely technical topic and provide people with clear guidance in relevant language and norms in a way that everyone can relate to.
Human Network Index
The Human Cyber Index, developed by Pinsent Masons, is a measure of an organization’s cybersecurity culture and its relationship to employee productivity. This allows you to work towards creating a responsive cybersecurity culture based on policies and processes that employees find easy to use. Help businesses assess employee behavior, engagement, productivity, and their relationship with security teams — all of which can impact a business’s cybersecurity culture.
By emphasizing the psychological aspects of cybercrime, people will find the topic of cybersecurity more relevant and accessible, which in turn helps them understand that they have more control in this situation than they think they are.
When the Human Cyber Index is used for the first time within an organization, they are often challenged to change the perception that cybersecurity is a highly technical or skilled discipline beyond their competence or remit. Initial completion rates for mandatory training are sometimes low, and cybersecurity teams lack the visibility and reputation they need internally for trusted advisors. In this environment, cybersecurity is seen as an uninteresting compliance move.
In fact, everyone in an organization treats information security differently. For example, age matters. In many cases, the youngest employees — those from “Gen Z” — are familiar with the use of technology, but that doesn’t always mean they are familiar with cybersecurity. In contrast, while older generations generally have stronger instincts for privacy and security, they are not always comfortable using company-provided IT products.
For the most part, people do care about cybersecurity and take it seriously, but they sometimes struggle with complicated policies and processes.
Psychology and Cybersecurity
Businesses can address the myth that cybersecurity is a purely technical discipline by educating employees about the psychological factors that dominate most cybersecurity breaches. Research on this complex subject is ongoing.
A paper by Bournemouth University for the British Psychological Society on behavioural change in the context of cybersecurity highlights how cyberattack victims are often psychologically manipulated. In their recommendations, they called for the application of “behavior change principles” to “public and workplaces” to “enhance the ability of individuals to better manage cybersecurity threats”.
Cybercriminals often exploit humans’ propensity to access systems and data through phishing attacks. These attacks are a form of social engineering designed to trick employees into revealing private or sensitive information, clicking on links, or opening suspicious attachments, using their pre-existing knowledge or typical behavior.
As part of a human-centred approach to cybersecurity, simulate a phishing attack and, after training, explain the psychology behind the simulated attack, showing people how cybercriminals will try to manipulate their thoughts and actions. By doing so, people can better understand the behavioral triggers that may be involved in phishing attacks.
Introducing a psychological element is a way to focus online training and content on personal safety rather than organizational safety—the underlying behavior is the same, just presented differently. The study found that people felt it was more relevant, they were more focused on the topic, and they wanted to know more. In conjunction with this, a competitive element of online training is promoted, with leaderboards that reflect and reward those who spot suspicious emails and report them.
By emphasizing the psychological aspects of cybercrime, people perceive the topic of cybersecurity as more relevant and accessible to them, which in turn helps them understand, in this case, having more control than they think. This is a central part of building and maintaining a cybersecurity culture, as well as designing strategies and practices that reflect human tendencies and embed secure behaviors.
A cybersecurity culture plays an important role in systematically building an organization’s cybersecurity capabilities, but it cannot be achieved overnight. Improving security culture must first dispel the myth that cybersecurity is a purely technical issue and provide people with clear guidance in a language and norms that are accessible and relevant to everyone. In the long run, organizations that help employees understand the psychological impact of cyberattacks will be more responsive to cybersecurity incidents. Mastering the psychology behind common cyberattacks, such as phishing, is one of the practical steps businesses can take to help improve their cybersecurity culture.
Cybersecurity Culture in Practice
We all know that a transparent, open and proactive cybersecurity culture will make businesses more resilient to evolving cyber threats by empowering people to make the right decisions. However, improving cybersecurity culture does not happen overnight.
In practice, this involves establishing a two-way dialogue with the business and its employees. For example, businesses need to open communication channels so that people can provide feedback on possible difficulties implementing policies or processes, rather than simply pushing security messages. It also means actively listening to their requests and taking action when appropriate.
Improving the cybersecurity culture must also include ensuring a people-centric approach to everything the cybersecurity team does. It’s not just about building people’s security awareness, it means that everyone on the cybersecurity team must act as a trusted advisor within the organization, rather than being seen as an outsider just overseeing compliance with cyber policy.
Building a cybersecurity culture also includes encouraging more cybersecurity ownership at all levels, especially if the company is a mid-sized or large organization with international offices around the globe. One way to do this is to build a global network of cybersecurity agents. These individuals can serve as advocates and/or ambassadors for cybersecurity best practices in their local offices and serve as liaisons to help others with related issues. They can also serve as a test group for any new initiatives that cybersecurity teams want to experiment with and provide valuable insight into what can and cannot be applied across the wider business.
Improving cybersecurity culture must also dismantle the myth that cybersecurity is a purely technical topic and provide people with clear guidance in relevant language and norms in a way that everyone can relate to.
Human Network Index
The Human Cyber Index, developed by Pinsent Masons, is a measure of an organization’s cybersecurity culture and its relationship to employee productivity. This allows you to work towards creating a responsive cybersecurity culture based on policies and processes that employees find easy to use. Help businesses assess employee behavior, engagement, productivity, and their relationship with security teams — all of which can impact a business’s cybersecurity culture.
By emphasizing the psychological aspects of cybercrime, people will find the topic of cybersecurity more relevant and accessible, which in turn helps them understand that they have more control in this situation than they think they are.
When the Human Cyber Index is used for the first time within an organization, they are often challenged to change the perception that cybersecurity is a highly technical or skilled discipline beyond their competence or remit. Initial completion rates for mandatory training are sometimes low, and cybersecurity teams lack the visibility and reputation they need internally for trusted advisors. In this environment, cybersecurity is seen as an uninteresting compliance move.
In fact, everyone in an organization treats information security differently. For example, age matters. In many cases, the youngest employees — those from “Gen Z” — are familiar with the use of technology, but that doesn’t always mean they are familiar with cybersecurity. In contrast, while older generations generally have stronger instincts for privacy and security, they are not always comfortable using company-provided IT products.
For the most part, people do care about cybersecurity and take it seriously, but they sometimes struggle with complicated policies and processes.
Psychology and Cybersecurity
Businesses can address the myth that cybersecurity is a purely technical discipline by educating employees about the psychological factors that dominate most cybersecurity breaches. Research on this complex subject is ongoing.
A paper by Bournemouth University for the British Psychological Society on behavioural change in the context of cybersecurity highlights how cyberattack victims are often psychologically manipulated. In their recommendations, they called for the application of “behavior change principles” to “public and workplaces” to “enhance the ability of individuals to better manage cybersecurity threats”.
Cybercriminals often exploit humans’ propensity to access systems and data through phishing attacks. These attacks are a form of social engineering designed to trick employees into revealing private or sensitive information, clicking on links, or opening suspicious attachments, using their pre-existing knowledge or typical behavior.
As part of a human-centred approach to cybersecurity, simulate a phishing attack and, after training, explain the psychology behind the simulated attack, showing people how cybercriminals will try to manipulate their thoughts and actions. By doing so, people can better understand the behavioral triggers that may be involved in phishing attacks.
Introducing a psychological element is a way to focus online training and content on personal safety rather than organizational safety—the underlying behavior is the same, just presented differently. The study found that people felt it was more relevant, they were more focused on the topic, and they wanted to know more. In conjunction with this, a competitive element of online training is promoted, with leaderboards that reflect and reward those who spot suspicious emails and report them.
By emphasizing the psychological aspects of cybercrime, people perceive the topic of cybersecurity as more relevant and accessible to them, which in turn helps them understand, in this case, having more control than they think. This is a central part of building and maintaining a cybersecurity culture, as well as designing strategies and practices that reflect human tendencies and embed secure behaviors.
The Links: LM64P89N G190EAN013