The role of psychology in improving security culture –

What we have learned

When using the Human Cyber Index within an organisation for the first time we commonly find they face the challenge of changing people’s perception that cybersecurity is beyond their capabilities or remit and is a highly technical or skilled discipline. Sometimes initial completion rates of mandatory training are low, and the information security team lacks the visibility and reputation internally required of trusted advisers. In this environment, cybersecurity is seen as another in an endless list of boring compliance initiatives.

We have also learned that not every individual in an organisation approaches information security in the same way. Age matters, for instance. In many cases the youngest employees – those from ‘Generation Z’ – are comfortable with the use of technology, but this does not always translate into them being familiar with cybersecurity. In contrast, we find that while the older generation typically have a greater instinct for privacy and security, they are not always as comfortable using the IT products provided by their organisation.

For the most part, we have discovered that people do care about cybersecurity and take the subject seriously, but that they sometimes struggle with the intricacies of policies and processes.

Psychology and cybersecurity

Businesses can address the myth that cybersecurity is a purely technical subject by teaching their people about the psychological aspects that dominate most cybersecurity breaches. Research on this complex topic is increasing all the time.

One paper, on behaviour change in the context of cybersecurity, produced by academics at Bournemouth University for The British Psychological Society, highlighted how cyberattack victims are often psychologically manipulated. Amongst their recommendations, they called for “behaviour change principles” to be applied to “public and workplace settings” so as to “empower individuals to better manage cybersecurity threats”.

One way in which cyber criminals often seek to exploit human tendencies to access systems and data is through phishing attacks. These attacks involve a form of social engineering, as they are aimed at tricking employees into revealing private or sensitive information, clicking on links, or opening suspicious attachments, by preying on their pre-existing knowledge or typical behaviours.

As part of our human-centric approach, we simulate phishing attacks and, post-training, explain the psychology behind the simulated attack to demonstrate to people how cyber criminals will try to …….


Leave a Reply

Your email address will not be published. Required fields are marked *