The next must-have step in cyber awareness: Change Management and Human Approach
There is no doubt about it: The Human Factor is the biggest problem regarding cyber security and yet the one we invest in the least. Why? The ugly truth as an answer? The Human Factor cannot be defined, managed, or solved using engineering solutions, and therefore, IT-Security Engineers are uncomfortable with this problem. We implement an engineering solution but not a real security solution: We book an item in security controls called “Cyber awareness and Training,” and then we are satisfied and can get our security certification. This practice is far away from what security is about.
Let’s face the facts as hard as they are. This is not security; this is compliance, and still, the human factor is like a sword pending above our security heads. As I heard once from a cyber security practitioner at a security convention in Sweden: “It doesn’t matter what we do. There is always a stupid one clicking on the link or downloading the file, and it will always be that way.”
Cybersecurity engineers are good at engineering solutions for servers, databases, authentication and any other related subject within IT-security.
However, and this is the crucial question, to solve a human problem, we need to have a human approach, not a technical approach. Therefore, we need to understand the internet and digitalization process from the human point of view. And believe me, it is very different from the technical approach.
Let’s start approaching security from a human point of view: Security is not a set of configured rules and filters in the human brain. Security is a mindset, an attitude toward risk, based on a dynamic combination of knowledge, training and character attributes influenced by the person’s state of mind and well-being.
A good start for a better understanding of the human factor within cybersecurity is to describe the more important risk factors in the human perception of the internet:
- Most of our employees experience the internet as a space, as they experience a physical one. By this, we mean a place where they do shopping, read, learn, and socialize by having a blog or chatting with friends or strangers. They meet new people in games or dating services, expose themselves on social media, give their opinions, discuss with others, share hobbies, etc. As we can see, the internet is “a place” where most of our employees act as human beings as they might do elsewhere. But let’s see the big difference with the physical space in the following two points.
- Most Internet users have a “false” feeling of anonymity. They think that no one knows who they are because they hide behind a nickname, an e-mail address or something similar. What happens when we do believe we are anonymous? We dare do and say things that we never would say if people knew who we are. But this feeling is false; we at Sally make our living of, among other things, uncovering the real person behind nicknames, passwords, e-mail addresses or Bitcoin wallets, to give some examples.
- The false feeling of anonymity and the socializing factor of the internet give humans a false sense that dangers are so far away from us and so unreal, almost impossible to happen. This way, people dare to take risks they would never take in the physical world. The number of examples is enormous, like giving personal info, exchanging pictures, and giving pieces of sensitive data or privileged information. We do believe that the person talking to us is in Australia, where they say to be, so we can talk and tell things that we would never tell if we were in the same room.
Considering these three points, it is much easier to understand the definition of security for the human factor we gave above. We can agree on the significant impact of temperament attributes, the state of mind and well-being, among others.
Every cyber awareness and training process must be conducted as a change management project aiming to change the attitude of our employees toward security and risk management. There is another word to define this: Resilience. Any cyber awareness project must focus on a change management project to increase the employees’ resilience by changing culture, attitude, and knowledge.
As we know, the key to most change projects is the ability to measure and follow up on results and change development. Those KPIs or key measurements should be connected to the fundamental aspects of human factor security and be able to follow up over time to make decisions to improve or accelerate the outcome. We must base our measurement on something other than the employee completing the training session and reading the papers. We need to be better measuring real change KPIs and adapt the training to the human factor character attributes (also called risk types in the case of security management)
In Sally, we have created Sally Academy, a way of introducing change management to cyber awareness and training:
- Ability to adapt the training path to what each employee needs, including risk type, well-being, etc. and other human factors that might be relevant to each one of the employees.
- Ability to measure in time the development of the company, the department and the individual based on 6-7 categories to follow up the change development of the security culture.
- Ability to do real training based on the specific needs of everyone for Phishing and Smishing.
We are always ready to have an open dialogue regarding the Human Factor but always looking into the whole view of the human being so that it boosts a change in the company’s security culture. Please get in touch with us if you would like to have a GAP-Analysis discussion of your security culture.