At Cybercon 2017 in Plymouth, an independent cyber security consultant and human behaviour specialist told attendees that Teaching IT and cyber security teams about psychology and sociology is key to enabling better cyber security practices.
Users Are A Mixture of ‘Spock’ and ‘Homer’
Consultant Jessica Barker made the point that instead of IT and cyber security teams in businesses being trained by security professionals to expect users to always behave rationally and logically (like “Spock”), they should also be trained to expect that users can also behave like “Homer” (Homer Simpson). This acknowledgement of (and understanding among staff ) of a more rounded model of user behaviour could lead to businesses being better protected against cyber and data security threats.
Protection From Homer
One key point that Barker made was that when people are in a so-called ‘hot-state’ of decision-making, the less rational and more visceral impulses in them tend to overtake the their more rational impulses i.e. ‘Homer’ wins over ‘Spock’. In marketing, a hot-state and the impulsive urge to act can be induced by promotions that tap in to the ‘Id’, and urge people to reduce self-control and act immediately without thought e.g. a slogan like “Hungry? Grab a Snickers’®”
In terms of cyber and data security, training could educate employees to the fact that in social engineering attacks, the attacker is trying to induce this state in the staff member in order to make them divulge information. An awareness that this happens, and the building in of a process that staff can use to a allow rational thought and checking (e.g. empowering them to ask and be rewarded for asking questions) could therefore provide vital protection against costly and disruptive malware data breaches.
Not Just Technical Aspects.
Barker pointed out that in order to provide maximum value to businesses and to deliver maximum effectiveness, IT security trainers need to teach security teams and all relevant staff about relevant psychology, sociology and communication, as well as the technical aspects of cyber and data security.
So-called ‘Techies’ in a company, who are traditionally viewed as being happier with ‘process’ should also be taught about ‘people’ in order to give them a more balanced and effective cyber security skill-set.
What Does This Mean For Your Business?
Just as an understanding of ‘buyer behaviour’ is important in successful marketing of products and services, by giving all staff a grounding in human behaviour as it relates to cyber criminals and those dealing with potential attacks, you could dramatically improve your organisation’s resistance to attacks.
According to Verizon DBIR research last year, human error accounted for most security incidents experienced by organisations. For example, 30% of phishing messages sent that year were opened (by staff), 12% of those people who opened the messages carried on to click on the attachment or link in the email.
If staff are therefore trained to spot the risks, encouraged to ask questions, and able to re-engage the ‘Spock’ in them at the right moment, it could save your business a lot of money, time, disruption, and possible reputational damage.