Cognitive dissonance and why tackling the people element of cyber security is so hard

Two psychologists, an academic and an ex-soldier walk into a bar… Unfortunately this isn’t a reality given the current situation with COVID-19, but it was the basis for an interesting webinar I took part in recently. We had a stimulating conversation about the cyber security industry’s ‘people problem’ and why it is so hard to address. What became clear is that the industry needs to do more to identify, measure, quantify and manage human risk.

ICO statistics show that over 90% of security incidents occur due to human error. To anyone in the industry this is old news, and we have seen this happening for a number of years now. Huge amounts of money have gone into creating incredible tools to secure companies’ tech, and a lot of thought has been put into developing processes. CISOs have done a great job of securing these parts of their business, so now need to turn their attention to people. We are living in a kind of cognitive dissonance, where we know what the problems are, but aren’t able to address them.