Cybersecurity Culture and the Human Element
When we think about cybersecurity, we generally think about technology – new gadgets, fancy systems, and screens full of computer code that will keep the hackers out. The role that people play is often an afterthought. But in reality, every step of the cybersecurity process, from inventing new systems to implementing defense strategies, has people involved. Considering the role people play and creating a strong cybersecurity culture is an important defense against scammers, hackers, and cybersecurity threats of all kinds.
See The Human Side of Cyber Security with Jessica Barker for a complete transcript of the Easy Prey podcast episode.
Dr. Jessica Barker is co-founder and co-CEO of Cygenta, a company that helps organizations develop their cybersecurity culture and consider the human elements of cybersecurity. For the last twelve years, her mission has been to promote cybersecurity awareness, behavior, and culture. She is interested in understanding what makes people tick when it comes to cybersecurity and how to better engage and empower people towards practicing more secure behaviors.
Jessica didn’t intend to get into the cybersecurity field. She did her Ph.D. on the internet, but not about security. She was looking at the growth of the internet economy and what it meant to communities and society and culture as a whole. Before that, her background was in sociology, politics, and urban regeneration. After she completed her Ph.D., she didn’t know what she wanted to do next, but she wanted to do something different. She was headhunted by a small cybersecurity firm that wanted someone who could speak to people, understand qualitative data, and help them with the human aspects of security. Jessica had to google “what is cybersecurity” when they first reached out. But once she started doing the work, she never looked back.
One Step to Determine if Something is Suspicious
To the best of Jessica’s knowledge, she hasn’t been a victim of a cybersecurity incident or scam. But it’s important to add that caveat. Sometimes you can be a victim and not know for a while. But there have certainly been times where she has received a message, been flustered or busy at the time, and come close to falling for something.
Being vigilant is helpful, but I always say the right phish at the wrong time can catch any of us.Jessica Barker
There have also been times where she received an email she thought looked suspicious, but turned out to be legitimate. For example, she was recently invited to the Royal Garden Party at Buckingham Palace to celebrate King Charles’ coronation. When she got it, she thought, “Yeah, right. That’s phishing.” She sent it to her husband, an ethical hacker. He checked it out and determined it was real.
The key to this process was sending it to someone else. Taking yourself out of the equation is a great stopping point for scams. The research supports this, too. And you don’t have to be married to an ethical hacker for it to be helpful. Running anything that seems suspicious past someone else is a great step towards a stronger cybersecurity culture, no matter who that person is. It allows you to get an outside observer’s opinion. But it also allows you to step back and slow down, which makes you more likely to identify a scam. Even just reading it out loud or coming back to it the next day will change your perception and make you more likely to identify something suspicious.
The Scam Formula
Jessica’s recipe for spotting a scam has three elements. First, it’s unexpected. It’s from someone you haven’t talked to before or don’t talk to often, it’s at a time or through a channel that you didn’t expect, or about a topic you didn’t expect to be contacted about. Second, it makes you feel something. That could be excitement, hope, fear, anxiety, or anything else. It could also try to make you feel rushed or hurried. If there’s any kind of time pressure or it wants you to deal with it right away, that’s a red flag. Third, it asks you to do something, whether that’s make a purchase, fill out a form, click a link, or even respond to the email. Those three elements together are a toxic combination.
If you read through those elements and thought, “That sounds a lot like marketing,” you’re right. That’s one of the difficulties of creating a strong cybersecurity culture. There is a fine line between persuasion and manipulation. Marketing and manipulation are very different, but it can seem like they are using the same techniques, especially with more aggressive sales tactics.
Human Influences on Cybersecurity Culture
If you look at the life cycle of any technology, information, or cybersecurity culture, people are there at every step of the process. People came up with the initial idea for a new technology. People are the ones designing it, developing it, using it, and abusing it. And the impact it has is an impact on people.
We are not securing information for the sake of that information or the sake of the technology itself. … It’s still people at the end of the day.Jessica Barker
The human side of cybersecurity culture is the work Jessica does every day. It’s raising awareness, helping organizations understand employee behaviors, and helping them understand cybersecurity culture in general. It’s also understanding the motivations of attackers and malicious insiders and what kind of issues can happen by accident. And it’s also understanding the impact of cybersecurity culture on people. This is where fields like psychology, sociology, behavioral economics, marketing, and neuroscience can be helpful.
Cybersecurity Culture Across Generations
Lots of different factors affect people’s thoughts on cybersecurity and cybersecurity culture. But generally, there are different approaches between generations. A lot of people assume younger people, those in their teens and early twenties, don’t have any respect for cybersecurity or privacy. They assume young people share way too much and don’t practice secure behavior.
But research shows that’s generally not true. The younger generation generally has a stronger cybersecurity culture in general. They understand cybersecurity better, engage with it more, and are more inclined to practice secure behaviors and make conscious decisions. They tend to use tools like password managers because they’re more comfortable with technology. And they might share their Netflix password, but they are more aware of the choice and their own risk tolerance.
On the other hand, older generations that didn’t grow up with technology have been left a bit behind. Many senior adults are more likely to find it difficult to use a password manager, for example. Of course, this is a generalization – a lot of older adults have no problems adapting to new technology. Where Jessica gets frustrated is when technical people look down on tools like a password notebook. Using a password notebook at home that they’re very careful with actually enables an older person who can’t (or doesn’t want to) figure out a password manager to have more secure passwords. And the likelihood of someone breaking into their house and stealing that notebook without them noticing is much lower than the likelihood of someone breaking into their accounts if they’re reusing the same weak password over and over.
Shifting the Cybersecurity Culture in Your Organization
At Cygenta, Jessica mostly works with corporate clients. Often a CISO or security leader brings them in, and they have the opportunity to work face-to-face with others in the organization. Their ultimate goal is to shift the cybersecurity culture in the organization towards better security.
The first step is to understand the organization’s current culture. It’s about understanding the current cybersecurity culture, yes, but also the existing culture in general. Security professionals often say, “We need to build a security culture,” but the truth is you already have one. It’s about figuring out what it is, if it’s positive, negative, or ambivalent towards security, and aligning it with organizational culture and values to take it where you want it to go.
Understanding values is another huge step. The wider organizational values are fundamental to the cybersecurity culture. Do people understand the importance of cybersecurity and how it relates to them? You can also tap into people’s individual values to encourage intrinsic motivation. It can even be beneficial to talk about the importance of a strong cybersecurity culture both at work and at home. Emphasizing how these behaviors make you more secure at home and protect your family can motivate people to engage.
Some of the most healthy cybersecurity cultures Jessica has worked with are ones with very customer-focused values. In those cases, cybersecurity can prove how it supports the values and the missions. People see the customer data that they’re working with and can think, “What if this was my data?” It encourages them to handle it with care. If your organization has strong values and your people believe in the mission, you can tie in how a strong cybersecurity culture supports that mission.
The Importance of Perception in Cybersecurity Culture
A major factor in creating a strong cybersecurity culture is perception. Much of that is self-perception. Do people see themselves as being capable of engaging with cybersecurity? Self-efficacy, or the feeling that you are capable of doing something, is the most important factor in changing behavior. Research backs this up over and over again. Successfully creating a strong cybersecurity culture isn’t about scaring people or constantly emphasizing the dangers. It’s about empowering them so they feel like they are able to successfully create a good cybersecurity culture.
In addition, there is often a perception that security is a blocker. They say “no, you can’t do that,” over and over again, often without explaining why. Creating a strong cybersecurity culture requires finding out where the blocks are and seeing what workarounds exist. Even when there aren’t workarounds, communication is key. Stronger communication can help find points of resistance and frustration. If you’re bringing in new controls, changing access, or locking something down, have a conversation about why these controls are needed and how and why they can be modified (or if they can’t, why they can’t). When people understand, they’re less likely to be frustrated.
Showcase the Cybersecurity Team’s Work
Jessica is a big believer in shining a light on what the cybersecurity team actually does on a day-to-day basis. People say to her all the time that they know the cybersecurity team does good work, but they have no idea what they do. A great way to improve cybersecurity culture and communication is to highlight what they do. People want to know, so why not share?
Some of the challenge with this is that the cybersecurity team’s wins are generally when nothing happens. If they’re doing a good job – there isn’t a data breach, the company isn’t hit by ransomware, hackers can’t get in – nothing changes. But we often overlook what’s interesting about the work or other things that demonstrate success. The team can talk about near misses, for example, or when things could have gone wrong but didn’t.
When communicating about cybersecurity, the media is an additional challenge. There is lots of scaremongering, doubt, uncertainty, and fear in the media coverage. But at the same time, it’s a gift. It’s rare that a day goes by without something related to cybersecurity in the news. And it’s a theme in many TV shows and movies, even if just a subplot or in the background. It’s a great opportunity to teach people more about cybersecurity, even if we need to address media misconceptions first.
The Truth About Cyberattacks
One important factor in creating a cybersecurity culture is considering the language we use. We often talk about cyberattacks being “targeted.” For most people, this conjures images of a hacker in a hoodie who wants something from you or your company specifically. People think that it will never happen to them because they don’t have anything worth taking. Part of developing a strong cybersecurity culture is helping people understand a few things. First, that everyone has valuable information or assets, even if that’s just customer data or your identity. Second, most cyberattacks aren’t picking specific targets. They are casting a wide net and exploiting anyone or any company they catch.
We think the world is getting worse, but we think bad things will never happen to us. We think we’ll never get ill, we’ll never get divorced, and we’ll never get hacked.Jessica Barker
Cybersecurity as a whole is challenging because it’s so complex. There are issues like supply chain attacks, where a service or supplier your company uses is successfully attacked and the attack cascades down the supply chain to you. We can recognize the challenges, but they challenges are going to evolve. However, Jessica is still optimistic. Cybersecurity is still a very young industry. We are often so focused on things that went wrong, are going wrong, or might go wrong that we overlook times when everything worked and don’t notice what we’ve achieved so far. Cybersecurity and developing cybersecurity culture is an ongoing challenge. It’s important to keep on top of what can go wrong, but it’s also important to recognize what we’re doing well.
Education to Improve Cybersecurity Culture
There are some educational steps we can take to help create a stronger cybersecurity culture. Critical thinking is an important skill, and more can be done in traditional schools to improve that. But those of us who are no longer in school need that as well. Critical thinking can apply to social engineering and scams, but also to disinformation. The same strategies are used over and over again.
We need to learn to understand not at a tactical level, but at a strategic level. The tactics may change – and they do, frequently. Criminals evolve their tactics based on how successful they are. Just as we shore up our defenses in one area, a new tactic or a new technology comes along and they’ll learn how to use that to scam us. But the same kind of strategy generally forms the foundation of any manipulation.
The tactics might change, but … [the same] kind of strategy generally underpins any kind of manipulation.Jessica Barker
Our best approach is to be strategic. Helping people understand how they think and process information and what influences their actions and reactions is a great way of building resilience. The human element in cybersecurity culture is often an afterthought. But if we lead with the human side and center security more on people, everything else would follow.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Most of us want to be polite and help others where we can. But scammers can take…[Read More]
It’s a nightmare scenario: You’re away from home and have an accident or a medical emergency. We…[Read More]
You’ve probably heard the phrase “buyer beware.” It refers to situations where it’s the buyer’s responsibility to…[Read More]
AirTags, a tracking technology designed by Apple, are one of those things that feel like futuristic tech….[Read More]
Would you want all the transactions in your bank account to be publicly available to anyone who…[Read More]
Scammers have learned to use systems like shipping, rental cars, and rental homes against us. And they’re…[Read More]