IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Using behavioural science to boost cyber security awareness

Firms need to disregard the cost barrier and embrace broader thinking to adopt meaningful cyber security training

brain

Given the advent of GDPR, as well as the pressures of reputational and financial damage after a breach, the human aspect of cyber security is now finally a board-level issue. But despite its higher place on the agenda, it’s still not something that C-suite executives are well equipped to deal with.

This is, in part, because cyber risk has historically been hard to measure. How do you quantify the risk of an individual or a group of individuals, without even mentioning malicious insiders here? Do training and awareness programmes even work? How do you track return-on-investment? How do you know if your measures are actually reducing risk?

Boards are also hesitant because members may feel they lack the skills, time and dedicated resources to commit. Awareness programmes, which cost money, often come with no discernible return, and they can also be seen to take employees away from their jobs.

Moreover, those with an ongoing programme in place have found the impact underwhelming, with research finding only 15% of such programmes report heightened levels of awareness and positive behaviour changes they aspired for.

Poor attention spans are to blame for ineffective training 

This is all unfortunate, but hardly unsurprising, given the way most businesses feel about helping their staff. Traditional people-focused cyber security programmes are resource-intensive, out-of-touch with what staff really care about, and too tedious for them to digest. Poor engagement is the bane of most awareness programs.

A single, year-long training programme is still the first choice for many. The content can be so overwhelming that an organisation may lose users just a few minutes into a session. The audience will start to daydream, and check their phones, or they’ll be getting on with other work on their laptops. Whatever little positive impact there is inevitably deteriorates over the course of the year as users forget what they’ve learnt.

Bulky training manuals, online guides, and best practice .pdfs are also commonplace. The expectation is that by providing staff with relevant information they’ll naturally absorb it. But most won’t be engaged enough to read through even a fraction of what's been provided, with those that do concentrate barely retaining this in the longer-term.

Even those who hang on won’t necessarily be able to act on it. Knowing how something works in theory is different to acting on it in a real-world context. The problem with traditional awareness programmes is there’s a limited chance for users to put what they know to the test. Quizzes can be helpful, but they don’t, as a matter of course, teach; they test. Learning by practice, by true-to-life experiences, is the key.

Organisations often find their awareness programs lacking, and wonder why they haven’t developed a stronger cyber security culture. The answer is quite simple: training that doesn’t take into account the behavioural science and educational theory of how and why people learn is never going to affect real change and improve an organisation's cyber security risk. And here’s where the channel opportunity lies.

Embracing psychology to meet a massive demand

Research has existed around what it takes to change behaviour, in terms of cyber security awareness, for more than thirty years, but it’s not something that has necessarily been acted upon. Research around learning and education has existed for at least seventy years, but this too has been dismissed in the cyber security awareness space because it’s either too difficult or costly to deliver.

While human-oriented cyber security awareness may not be a new phenomenon to either businesses or the channel, measurable science-and evidence-based solutions are. Applied to information security awareness, modern behavioural science and teaching techniques can provide immediate, tangible improvements and mitigate human cyber risk.

The opportunity is made yet more appealing given few businesses have such a solution in place. Research suggests that 70% of SME firms either don’t have cyber security awareness training or have ineffective programmes in place. Further, KPMG suggests that the majority of the FTSE 350 companies lack the board-level skills to address the issue.

And while our own research shows only 44% of IT decision-makers believe their business’ employees have the skills to prevent a cyber attack, the majority are worried about the threat of a cyber attack, losing money, and are more concerned now that GDPR has come into force.

The demand is there. Cyber risk reduction has never been such a hot topic, and although long overdue, solutions are being introduced that both work and augment technology products as well as expert consultancy. Programmes addressing the human aspect of cyber security fill a longstanding gap in most channel cyber security portfolios, largely playing off technological products.

Psychology is not a lost science, but the regard for it in the cyber security space has certainly been lost for the time being. This presents a sizeable opportunity for players in the channel market. After all, the human aspect of cyber security can be seen as the intersection of people, technology and information. Can you think of a business today that doesn’t have all three of these?

Mark Edge is Chief Revenue Officer at CybSafe

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Schneider Electric unveils Grid Operations Platform as a Service on Microsoft Azure
cloud computing

Schneider Electric unveils Grid Operations Platform as a Service on Microsoft Azure

24 May 2022
T-Mobile unveils new 5G Advanced Network Solutions
Network & Internet

T-Mobile unveils new 5G Advanced Network Solutions

24 May 2022
Google unveils new Assured Open Source Software service
open source

Google unveils new Assured Open Source Software service

18 May 2022
Malwarebytes hires new channel chief to lead MSP and partner network
Managed service provider (MSP)

Malwarebytes hires new channel chief to lead MSP and partner network

18 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022