Sergey Nivens - Fotolia

Most businesses failing to train IT and security about users

Teaching IT and cyber security teams about psychology and sociology is key to enabling better cyber security practices in organisations, according to human behaviour specialist Jessica Barker

Businesses are failing to train their IT and cyber security teams about users, according to independent cyber security consultant Jessica Barker.

“Some companies have programmes aimed at raising employee awareness about cyber security threats, but virtually none are training IT and security teams about users, she told Cybercon 2017 in Plymouth.

“This is a real issue. We are training users in the technical stuff, about technology and the challenges faced by IT and information security, but we are not doing it the other way around.

“We are expecting information security professionals in their organisations to train users, but we are not teaching those infosec professionals anything about people,” she said.

While there has long been a recognition that security is about people, process and technology, Barker said most companies are not teaching their security reams about psychology, sociology and communication, which are all inherent to cyber security.

The result, she said, is a security team that expects users to behave rationally. “They expect their users to be logical like [Star Trek’s] Spock, while they are often more like Homer Simpson.

“What the technical teams do not understand is that nobody is Spock and nobody is Homer. We are all both. The Spock and Homer within us are in constant battle for control of our behaviours.

“But when people go into a ‘hot state’ – which is when they are tempted by something, curious about something or when they desire something – Homer will almost always win,” said Barker.

“This is the reason that social engineering attacks are effective. They target curiosity, desire and greed – all the things that make people behave in an irrational way.

“If those delivering an organisation’s cyber security training do not understand this, they will talk about the technical aspects, but not in a way that will change behaviour,” she said.

Read more about security awareness

Instead, Barker said organisations need to ensure that cyber security messages are being communicated in a way that employees can understand.

“Be user-centric. Think about how you can constructively engage with fear by explaining what to do and why so that you do not scare people into denial and avoidance,” she said.

Employee behaviour is more likely to change, she said, if they are empowered to ask questions, if they understand the risks, and if they are provided with the tools and procedures required to work securely.

“Encourage employees to learn about cyber security in way they can explain topics to other people, use a variety of teaching methods because people learn in different ways. Encourage curiosity, use empowerment, use rewards, and don’t forget to teach the techies about the importance of people and process,” said Barker. 

Read more on Security policy and user awareness