Employees dealing with cyber security risk will be familiar with the fear factor. At teissLondon2020, Jessica Barker, Chair of ClubCISO, explained how fear is holding back progress.
We often overlook how people feel in work, as concerns over business ventures and profit take priority. But emotions have a direct impact on employee behaviour.
And cyber security risk is no exception. Does the idea of falling into a cyber breach trap fill you with dread and fear? Does the thought of managing cyber security risk leave you feeling powerless and lacking in confidence?
Jessica Barker is interested in where people meet technology. She quotes: ‘People show a disproportionate fear of risks that seem unfamiliar and hard to control’ (Sustein 2014).
That is the definition of cyber security risk: unfamiliar and hard to control. Jessica cautions that fear can cause people to put off tasks, go into denial or avoid the internet altogether!
She says: ‘Criminals targeting people is our biggest threat. Empowering people and building a positive security culture is our best defence’.
What can be done to empower employees in the face of cyber threat?
– Listen to people, and hear their concerns, experiences and questions
– Carry out surveys to find out what the common hurdles are
– Hold focus groups to get a real sense of communication and unity
– Find out where there are blockers but don’t emphasise the threat
These solutions should empower people to speak openly and without fear, to increase overall security awareness. But Jessica warns: ‘We can have all the awareness that we want…it can’t just be about awareness. It has to be usable for people…we have to give them the tools to be able to do it’.
You have to make sure your training and information is actually preparing people to deal with the real risks, not just in theory but in practice. The Centre for Disease Control and Prevention created a campaign to illustrate to people what they should do to prepare for an epidemic.
It turned out to be a successful measure of awareness, but research proved it wasn’t really changing behaviours in preparing for a zombie apocalypse.
So what can we learn from this? Check if your awareness changing is landing right: is it having the intended consequence?
An increase in awareness could potentially exacerbate the fear factor; if people know what threats they are up against, they may be fearful that they are not equipped to deal with them.
Stress can happen as a result of fear, and vice versa. People who are overworked are more at risk. If someone is overloaded with emails, they are more likely to click a malicious link. Then the fear culture prevents them from owning up to it. Employees can get caught in a vicious cycle.
Efforts to create happy employees can reduce cyber incidents. The UK National Cyber Security Centre put it like this: ‘If security doesn’t work for people, it doesn’t work’.
How to reduce fear:
– Reinforce training, rather than having one exercise per year, to demonstrate a seriousness about awareness
– Shadow how people are getting on with what they have learnt
– Clarity of communication, so employees feel well-informed and supported
– Share examples of the training in practice, and failures, to prove mistakes can happen but also be overcome
– Reduce pressure on employees to lessen stress by creating a healthy work environment and culture
Based on psychological research that Jessica raises, using fear and insecurity to try and change behaviours is ineffective. If anything, it is counter-productive. Training strategies need to go lighter on the threat in order to empower people, and consequently reduce cyber risk.