Woman at center of cybersecurity network

How to put humans at the center of your cybersecurity strategy

Authors

5 minute read 03 Oct 2022
Related topics
Cybersecurity
Workforce

Organizations need a human-centric strategy in which cyber security is embedded by design. But how can they implement it?

In brief

  • While most cybersecurity breaches come from the ‘human’ element, most organizations focus their cybersecurity program on technical controls and processes.
  • A healthy cyber culture can help organizations drive cybersecurity initiatives from the bottom up.
  • Beyond mandatory trainings, a security-centric culture requires awareness of human cognitive biases and  management setting the tone to drive change.

The following article summarizes the Cyber Culture Event organized by the EY Belgium Cybersecurity Team on Friday September 16th in Diegem. The event aimed to raise awareness on how essential organizational culture and human behaviors are to the cybersecurity strategy.

It is a common misunderstanding that technical solutions alone can’t protect you from cybersecurity threats. Indeed, you could be investing in top notch physical security controls, such as mantraps, turnstiles or security cameras, but these would not be able to detect someone using their colleague’s badge to get in, simply because they forgot theirs at home.

Human behaviors have to be at the core of security strategies, and security awareness should reflect that, taking into account the many factors that influence human actions, such as social norms, the organizational culture in place, our past experiences, our affects, etc.

So, how do you establish a relevant cybersecurity awareness strategy and encourage a security-centric culture? Here are some insights.

People, not technology, pose the greatest risk to organizations ... but they are also the greatest enablers of behavioral change!

The importance of culture in change management

While people represent the main agent of change, they are also naturally reluctant to it. Either because we don’t believe in it, because we have other priorities or because we think we are just ‘a drop in the ocean’, with no real change power on our own.

Therefore, more than just a sense of urgency, it is making the change desirable that will incentivize employees. To achieve this, it is important to think about the blockers and enablers that may prevent or accelerate or the change:

Change Blockers

Change Enablers

What’s the point anyway?

I see a colleague close to me doing it

The other won’t do it either

It seems that the majority has adopted the change

I have other priorities

I understand the collective benefits

I don’t see what the problem is

I feel capable and supported by others

Messages tailored to your target audience will always be more effective. Do not overlook the importance of early change adopters or influencers. Convincing them first is  an efficient way to go, as it will drag the majority to join the movement and adopt the intended behaviors. Keep in mind that, whatever the change, “culture is the shadow of the leader”: people will be more tempted to change if the leader makes the first step.



Influencing change on a micro-behavior or individual level

Humans don’t always act rationally. In order to effectively understand risks related to individual behavior and drive the appropriate change, it is important to grasp some of the basics of cognitive psychology.

One example of a cognitive psychology bias is “Mental Anchoring” which means that people heavily influence their opinion by the piece of information they first receive. In our learning process, we might understand a message in different ways due to our brain making shortcuts or falling prey to certain biases:

  • Confirmation bias: retaining information that confirms the currently held belief
  • Desirability bias: retaining the information one would like to be true

Risk management must take those constraints into consideration and try to overcome them. Cognitive psychology and nudging can be used for different purposes (political reasons, advertisement…), so why could they not serve in an ethical way to improve and establish the right risk behaviors in cyber security?

By using the appropriate words, changing the order of choices or the point of view of a sentence, you can have a completely different impact on your readers or listeners. These techniques can be used on an individual level to influence the behavior of our day-to-day activities, such as responding to a malicious e-mail.

How EY can Help

Putting Humans@Center in your cybersecurity strategy

 

Every human has good and bad days and, sometimes, we forget about security. Whether it is due to social norms (holding the door for someone right after you) or laziness of performing a tedious verification (clicking on a phishing e-mail which looks legitimate), we can all, from time to time, adopt the wrong behaviors

 

A cybersecurity culture and awareness program can protect you against these risks. A successful awareness leader has a program with clearly defined objectives. The program should be tailored to the organization’s threat landscape starting from an adversary point of view.

 

It is important to realize that culture change is not a one-shot effort. Continuous reinforcement using different communication channels and platforms is important and should be tailored to the target audience and organization. Communication is about tailoring your message and repeating it.

 

Moreover, trainings will be more efficient if they are fun and include a rewarding mechanism. Find what works the best with your audience by collecting regular feedback and involving the workforce into the design of the program.

 

Measuring the success of behavioral change through compelling metrics would not only allow to assess the effectiveness of your efforts and prioritize future awareness actions, but would help to convince the board to ultimately unlock the much-needed awareness budget.

 

Obviously, the awareness program should be as attractive and accurate as possible. But don’t think too big, the awareness program should match the organization’s culture, budget and resources.  Also, don’t be impatient and keep in mind that this process can take several years.

Navigating externally induced pressure

An analytical alternative to the crystal ball

Based on data and fundamental analysis, scenario planning will help guide entrepreneurs through the current stormy weather.

Tom Van Herzele + 1

ESG regulatory pressure: how to navigate the increasing EU regulations?

With the new set of EU sustainability reporting standards, companies falling into scope should act now to be compliant with the reporting timeline.

Sophie Chirez

    Summary

    You can’t ensure security through technical solutions alone. Putting humans at the center is essential to the success of the security strategy.

    The key take-away here is that a good cybersecurity culture and awareness program require more than just training. Humans should be encouraged and included to drive change from the bottom-up. It is a common saying that “change starts with you”, and this definitively holds in the cybersecurity domain.

    About this article

    Authors

    Related topics
    Cybersecurity
    Workforce

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.