Sergey Nivens - Fotolia
“Some companies have programmes aimed at raising employee awareness about cyber security threats, but virtually none are training IT and security teams about users, she told Cybercon 2017 in Plymouth.
“This is a real issue. We are training users in the technical stuff, about technology and the challenges faced by IT and information security, but we are not doing it the other way around.
“We are expecting information security professionals in their organisations to train users, but we are not teaching those infosec professionals anything about people,” she said.
While there has long been a recognition that security is about people, process and technology, Barker said most companies are not teaching their security reams about psychology, sociology and communication, which are all inherent to cyber security.
“What the technical teams do not understand is that nobody is Spock and nobody is Homer. We are all both. The Spock and Homer within us are in constant battle for control of our behaviours.
“But when people go into a ‘hot state’ – which is when they are tempted by something, curious about something or when they desire something – Homer will almost always win,” said Barker.
“This is the reason that social engineering attacks are effective. They target curiosity, desire and greed – all the things that make people behave in an irrational way.
“If those delivering an organisation’s cyber security training do not understand this, they will talk about the technical aspects, but not in a way that will change behaviour,” she said.
Read more about security awareness
- The information security community is failing to educate users in a way that helps then understand cyber threats and change their behaviour, according to consultant Jessica Barker.
- While there is value in security awareness training, not all training programmes are effective or value for money, according to a panel of experts.
- UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective security training, a study reveals.
- Cyber security awareness is still in its infancy in most organisations, despite the quick returns it can deliver, says the Sans Institute.
Instead, Barker said organisations need to ensure that cyber security messages are being communicated in a way that employees can understand.
“Be user-centric. Think about how you can constructively engage with fear by explaining what to do and why so that you do not scare people into denial and avoidance,” she said.
Employee behaviour is more likely to change, she said, if they are empowered to ask questions, if they understand the risks, and if they are provided with the tools and procedures required to work securely.
“Encourage employees to learn about cyber security in way they can explain topics to other people, use a variety of teaching methods because people learn in different ways. Encourage curiosity, use empowerment, use rewards, and don’t forget to teach the techies about the importance of people and process,” said Barker.