How to motivate employees to take cybersecurity seriously

How can we push employees / users to take cybersecurity to heart? Dr. Maria Bada, external behavioral scientist at AwareGO, has been working on the answer for years.

After studying media psychology, focusing her Ph.D. on behavior change, and working towards the treatment of excessive internet use in children and adolescents, nearly ten years ago she opted to join Oxford University as a postdoctoral researcher on cyberculture and online behavior.

Her research focused on the human factor of cybersecurity, the assessment of cybersecurity awareness campaigns and their impact in changing online behavior and, gradually, it expanded from the user to the offender.

“The application of traditional theories of psychology in studying cybercrime is something I find fascinating and this research is also contributing to the emerging discipline of cyberpsychology. Within my current role at the University of Cambridge Cybercrime Centre, my research focuses on the human factor in cybercrime. More specifically, I work on the profiling of cybercriminals, the cybercrime ecosystem and how the Internet supports criminal behavior online,” she told Help Net Security.

She believes in the importance of understanding both the offenders’ behavior AND users’ needs in order to develop effective prevention interventions, and her current collaboration with AwareGO provides her with the opportunity to apply her research in a practical way to develop innovate methods in cybersecurity awareness training and assessment.

In this interview, she talks about the requisite factors for successful security awareness education.

[Answers have been edited for clarity.]

I’ve often found that people don’t grasp cybersecurity topics when they are explained in abstract language. Some shut down immediately, others have trouble imagining the wide variety of instances when the imparted knowledge can be used, and many are afraid to ask “stupid” questions. How can one make sure to address all of these and other stumbling blocks in the way of successful cybersecurity knowledge transfer?

It’s true that cybersecurity is often assumed to be purely technical. However, when we look at the threats and how they become reality, that we can see and truly understand that cybersecurity is about people more than it is about technology.

Users often avoid cybersecurity because they cannot understand it or because understanding it requires a lot of effort. Convenience is most of the times preferred over security and this is a serious stumbling block.

During the COVID-19 pandemic we witnessed organizations having to quickly advance or coordinate their cybersecurity efforts as many employees started working from home. That meant that even employees who avoided thinking or learning about cybersecurity had to do some training or follow specific policies around remote working.

For something like that to be effective at a large scale there has to be knowledge transfer at all levels of an organization, language needs to be as simple as possible and actions required need to be as clear as possible. Therefore, to ensure that cybersecurity is being considered by the user, the training and instructions need to be targeted, actionable and (easily) doable.

All members of the digital community need to develop a cybersecurity mindset and create a cybersecurity culture where knowledge is being shared and communicated to all. The most important part is to use that knowledge to improve everyday life. Technology should be part of our lives, fit our comfort zone, and be something we trust and don’t feel intimidated by due to lack of knowledge and digital literacy.

What are the dos and don’ts of setting up successful security awareness training and campaigns?

Before developing a cybersecurity awareness training campaign, we need to identify our target group and the specific needs of this group. Changing behavior requires more than providing information about risks and reactive behaviors – people need to be able to understand and apply the advice we provide and they most important they need to be willing and motivated to follow that advice.

Many campaigns in the past have demanded a lot of effort and skills from the audience, setting unrealistic expectations, while solutions are not aligned to risks. One of the tactics often used in cybersecurity awareness campaigns have been fear invocations, but they generally proved insufficient to change behavior, so avoid those.

The offered advice/knowledge needs to meet the needs of the target group while training and continuous feedback is needed to sustain the information received.

Also, different cultural or personality characteristics need to be considered since these factors can influence the outcome of the campaign. For example, an individualistic culture needs a different approach compared to a more collectivist one.

What currently uncommon IT and cybersecurity educational practices / tools you believe have a future?

In my opinion, we will be seeing a lot of efforts internationally in raising cybersecurity education and awareness across all disciplines. To do that, new technologies will be utilized, such as virtual reality. Virtual reality can spark the imagination, encourage creative learning, and offer memorable training experiences for employees.

Technology is evolving too fast for a great chunk of humanity to be able to catch up and learn the nuances of its use. The gap is particularly wide when it comes to using the internet and keeping up with the ways the dissemination of information, disinformation efforts and propaganda are evolving. Malicious actors and even businesses are essentially hacking and hijacking the human brain and emotions. Is there a light at the end of that particular tunnel and what will it entail?

There is currently a digital divide at a national and individual level. We see many countries leading in cybersecurity technologies but also legislation on cybercrime. Other countries are now beginning to develop their capacities, their strategies and efforts. This gap is being exploited by criminals but also governments to promote fake news shaping public opinion or behavior.

People are aware of cybersecurity because they hear a lot about it. But that doesn’t mean that people are behaving how we would like when it comes to matters such as password authentication and social engineering attacks.

Psychologists have studied human perceptions and behavior, how we think and behave and what can influence that. For example, risk perception and the impact an action might influence our behavior. But also:

• Internet users tend to select content that is consistent with their attitudes and opinions and tend to evaluate attitudinally consistent information more favorably
• People are inclined to believe information and sources that others find credible
• People are inclined to believe information based on the reputation or name of a website or resource without much critical scrutiny of that site or content.

Based on these clues, we know that many information seekers avoid more effortful processing of online sources and information.

In order to reach the light at end of this tunnel, we need to focus our efforts on promoting digital literacy in society at a broad scale. Part of effectively finding and consuming digital content focuses on how well users can discern facts from misinformation and determine trustworthy sources while understanding risks.

How can IT technology developers aid cybersecurity efforts? What else must be taken into consideration when aiming to create effective IT solutions?

Effective IT solutions should be usable. For example, designers and developers often approach web accessibility as a checklist to meet specific standards (e.g., ISO/IEC 40500), and the focus is only on the technical aspects of accessibility. As a result, the human interaction aspect is often lost, and accessibility is not achieved.

Combining accessibility standards and usability processes with real people ensures that web design is technically and functionally usable. Such considerations need to be made for people with different disabilities, but also low literacy, etc. Technology is being developed for people and people are different, therefore we cannot expect the same usability levels of different solutions to work for all.