teissTalk: Mitigating human cyber-risks with data and behavioural sciences

On 5 June 2025, teissTalk host Jonathan Craven was joined by Rebecca Stephenson, Specialist Lead Lecturer, Highlands College; Penny Jackson, Director Strategy, Awareness & Engagement (Human Risk Management), Aristos Partnership; and Candace Williams, CEO/Founder, Cyb(H)er Ally Cybersecurity Solutions, LLC.

 

Views on news

At Tech & AI LIVE London, Annick O’Brien, General Counsel at CybSafe, delivered a keynote on the Cyber Stage titled AI and Cyber Risk: The Human Factor on the  growing need for a behavioural approach to cybersecurity in the age of AI, big data, and rapid tech development. AI, she warned, is not just a tool for innovation but also a weapon for attackers.

Employees need to be aware of the times of the day when they are more likely to rush and click on emails and links without considering data security. Cybersecurity training must move away from generic security awareness training to what’s called measurable risk management. Motivation for employees to adopt cybersecurity practices can be enhanced by tailoring training to the risks associated with one’s core job. Measuring and demonstrating how good behaviours reduce risks can also reinforce commitment. When the threat is physical, like in the construction industry, the adoption of safe behaviours happens much faster than in the cyber space. 

Measuring and changing risky behaviour

There is plenty of data about risky behaviour, but it isn’t fed back to the business – either through managers or individuals who display those behaviours.

Democratising access to this data could serve as a good starting point. Personal conversations with executives of those who fail to do their security trainings may also give the impression that this is a serious matter. Through the stratification of risks, employees will also understand that not all departments and individuals are equally exposed to risks. 

Another major concern is that learning and development teams of medium to large organisations aren’t typically involved in security training. Before launching an awareness programme, Information security teams can carry out a survey to learn how individual employees see their relationship with cybersecurity, which can also inform the upcoming training in terms of formats and learning styles. With the widespread adoption of BYOD, separating workplace and home security no longer makes sense as some of the risk at home will be there at work as well.  Sharing embarrassing stories about mistakes in cybersecurity can also make bad behaviours more memorable and easier to avoid, as people can respond better to stories. However, falling for a phishing test can also make people feel ashamed and embarrassed about themselves. The stress that this creates may be conductive for learning for some people while it thwarts the learning process for others. 

Learning platforms have a functionality that enable immediate personalised feedback automatically after someone makes a mistake by sending an email about the incident, which the employee can absorb at their own pace. These features can also serve as criteria when sourcing the training service from external providers. There is also the red-flagging method, when the system asks the user to confirm whether they really want to open an attachment or include some sensitive information in an email. However, as time goes by, these messages  may become white noise. 

 

The panel’s advice

• It’s culture that makes secure behaviour feel normal.
• Giving choice to people on how they want to access their training can make it more effective.
• Safeguarding would probably be a better word for cybersecurity.
• For internal communication and sharing documents, encourage the use of other channels instead of email.
• Have walking breaks to get more alert.