With all the money and resources put into training awareness videos and phishing campaigns, security breaches due to human factors still remain high (90.5%) ICO, 2019. To address this, OutThink is engaged in building a Framework for the Management of Human Risk in Cyber Security. As part of this work, we hosted our latest webinar on June 11th, 2020. In this webinar we discussed: why tackling the human element of cyber security is so hard.
The panelists involved in the conversation were:
Dr Phoebe M Asquith, Senior Research Associate in Cyber Psychology and Human Factors at Airbus and Cardiff University. She has an MA in Psychology, an MSc in Cognitive Neuroscience and a PhD. As part of her doctorate she developed novel neural network mapping techniques using fRMI, MEG and machine learning. Her interest in Cyber Psychology is rooted in understanding the relationship between security communication, awareness and behaviour, and the disconnect between the three.
Imogen Verret, Senior Security Awareness Manager for Vodafone Group. Prior to Vodafone, Imogen served for 17 years in the British Army. Specialising in security and intelligence. She has a broad background ranging from tactical analysis, training and development, information operations and strategic intelligence. Academic background in Zoology and Developmental Behavioural Modelling (DBM).
Ceri Jones, Cyber Security expert with 10 years of experience. She has been championing research in the area of Sociotechnical Security and using her expertise to bring research into practice across government projects. Having recently moved from the central government, she now looks to bring that experience into the private sector.
The webinar was hosted by Shorful Islam, Chief Product & Data Officer at OutThink.
Watch the recording of “Why is Tackling the People Component of Cyber Security so Hard!”:
Some of the interesting topics that have been discussed during this webinar:
- There is a need to invest in technology, but companies are finding that they are playing catch up on the education side;
- There is a need to understand the science of learning, so that educating people is effective;
- We need to define what we mean by awareness training, is it awareness of just the fact that you need to be security aware, so the need to follow a rule, or does awareness encapsulate more to do with the processes that exist within organizations;
- Tackling the people part with awareness training, the idea of training a person about one particular aspect of cyber security, when in actual fact, if they try and then do it and a process or policy get in their way and creates a blocker, what next;
- People have biases when making decisions and education can provide the tools to support rational thinking;
- Research shows that if people are aware that others around them are acting in a certain way, they’re more likely to do it;
- Creating a better policy that works for human behavior not against it;
- Companies should keep doing the awareness training, especially where it is mandatory, but look to utilize storytelling to raise information security awareness, people remember stories;
- Terms like people are the weakest link or that they’re the wetware or even the human layer doesn’t help people engage with those that they’re trying to help;
- Recent events such as COVID, means that 90% of the employees work from home, so how do you build trust with these employees that work remotely;
- Bringing a more holistic view across what security awareness is;
- Cyber security human risk management is the complexity of understanding people on their day to day job and empowering them to ask the right questions;
- An effective cyber security is a cross multidisciplinary approach and it delivers awareness training effectively;
- Information security is not only about keeping the people safe, it is about empowering the people to adapt to change and continuously manage risk;
- Building a healthy Security Culture within the organization and intuitive human-machine interfaces;
- How to map risk behaviors across the organization and identify teams with higher risk, to deliver security awareness workshops only to those teams;
- Listening and creating dialogue between departments and teams, are the first steps to create a functional Security Culture;