The role of psychology in improving security culture

Teaching the psychology behind common forms of cyber attacks, such as phishing, is one of the practical steps businesses can take to improve their security culture.

Security culture in practice

As we have previously explored, a transparent, supportive and open security culture will make a business more resilient to evolving cyber threats by empowering people to make the right decisions. However, building improvement in security culture does not happen overnight.

In practice, it is about creating two-way dialogue with your people. For example, instead of pushing the security messages out to the organisation, businesses need to open the channels of communication so people can provide feedback on where they might be struggling to implement policies or processes. It also means actively listening to their requests and taking action where appropriate.

Improving the security culture must also include ensuring that you take a human-centric approach to everything the information security team does. This goes beyond building people’s security awareness and means that everyone in the information security team must act as trusted advisers within the organisation rather than as distant outsiders perceived as merely policing compliance with cyber policies. There can be no them and us.

Building security culture is also about encouraging more ownership for information security at a local level, especially if the company is a medium or large organisation with international offices scattered across the globe. One way of doing this is to establish a global network of information security agents. These individuals can act as advocates and/or ambassadors for information security best practice in their local offices and be a point of contact to help others with related issues arising. They can also act as a test group for any new initiatives the information security team want to trial and provide invaluable insight into what will or will not work across the business more broadly.

Improving security culture must also entail dispelling the myth that cybersecurity is a purely technical subject and providing people with clear guidance in a language and format that is accessible and relevant to all.

The Human Cyber Index, developed by Pinsent Masons, helps businesses to assess their people's behaviour, their engagement and productivity and the relationship they have with their security team – all of which might be impacting on their security culture.

What we have learned

When using the Human Cyber Index within an organisation for the first time we commonly find they face the challenge of changing people’s perception that cybersecurity is beyond their capabilities or remit and is a highly technical or skilled discipline. Sometimes initial completion rates of mandatory training are low, and the information security team lacks the visibility and reputation internally required of trusted advisers. In this environment, cybersecurity is seen as another in an endless list of boring compliance initiatives.

We have also learned that not every individual in an organisation approaches information security in the same way. Age matters, for instance. In many cases the youngest employees – those from ‘Generation Z’ – are comfortable with the use of technology, but this does not always translate into them being familiar with cybersecurity. In contrast, we find that while the older generation typically have a greater instinct for privacy and security, they are not always as comfortable using the IT products provided by their organisation.

For the most part, we have discovered that people do care about cybersecurity and take the subject seriously, but that they sometimes struggle with the intricacies of policies and processes.

Psychology and cybersecurity

Businesses can address the myth that cybersecurity is a purely technical subject by teaching their people about the psychological aspects that dominate most cybersecurity breaches. Research on this complex topic is increasing all the time.

One paper, on behaviour change in the context of cybersecurity, produced by academics at Bournemouth University for The British Psychological Society, highlighted how cyberattack victims are often psychologically manipulated. Amongst their recommendations, they called for “behaviour change principles” to be applied to “public and workplace settings” so as to “empower individuals to better manage cybersecurity threats”.

One way in which cyber criminals often seek to exploit human tendencies to access systems and data is through phishing attacks. These attacks involve a form of social engineering, as they are aimed at tricking employees into revealing private or sensitive information, clicking on links, or opening suspicious attachments, by preying on their pre-existing knowledge or typical behaviours.

As part of our human-centric approach, we simulate phishing attacks and, post-training, explain the psychology behind the simulated attack to demonstrate to people how cyber criminals will try to manipulate their thoughts and actions. In doing this, people get a better appreciation of what behavioural triggers a criminal might include in a phishing attack.

Introducing the psychological element is a way of focusing cyber training and content on personal security not organisational security – the underlying behaviours are the same, but just presented differently. We have found that people find this more relatable and that they become more engaged with the topic and have a greater appetite to know more. Allied to this, we advocate a competitive element to cyber training initiatives, with leader boards to reflect and reward those for spotting suspicious emails and reporting them.

By highlighting the psychological aspects of cybercrime, we have found that people find the topic of cybersecurity more relevant and attainable and that this in turn helps them to understand that they have more control in this situation than they think. This is a core part of building and sustaining a security culture and in designing policies and practices that reflect human tendencies and embed secure behaviour.