People Are Not the Weakest Link: Our Understanding Is | SecurAcademy Webinar 13 May 2020
On May 13, 2020 we hosted our "People Are Not The Weakest Link: Our Understanding Is" webinar, where our social psychologist Inge Wetzer presented 4 lessons on how to understand the human factor in organisations and how to make people more resilient against cyber attacks.
Previous attempts to make employees of organisations more resilient have largely focused on enhancing awareness. However, psychology shows that a gap exists between awareness (knowing what you should do) and behaviour (what you actually do). To solve this, many security professionals have the tendency to jump to solutions, without knowing which solution will be most effective.
This webinar provided insights in how people’s behaviour is composed and what influence organisational cultures have on resilience of employees in information security. This knowledge helps cybersecurity professionals to target their efforts more specifically, contributing to more effective cybersecurity campaigns.
The four lessons learned are:
1. They need continuous attention for the topic.
2. They are not rational. Therefore we should focus on behavior as an end goal.
3. Their behavior is composed of different aspects that all need attention.
4. They are different from us. Don't assume what they need, ask them.
The attendees asked good questions, we have highlighted a few below. Should you still have any remaining questions, please contact firstname.lastname@example.org.
Curious to our other webinars? Visit: https://www.secura.com/webinars
You showed a great and recognisable formula, but isn't it so that people only can start changing behaviour if they need to KNOW before they even understand WHY they need to change? Meaning, is starting with knowledge not the first step (more or less a maturity-model)?
This is true when it is about conscious behaviour. If we make explicit decisions on how we behave, knowledge on what is requested is of course a prerequisite. However, a considerable part of our behaviour is unconscious or subconscious. This means that we perform the behaviour automatically. There are many behaviours we perform without thinking about it, for example because they have become a habit. Automatic behaviour can be changed without sending knowledge, for example by nudging, where changes in the environment are made, as a consequence of which people change their behaviour.
How do you know or can find out what means and messages (enforcing, making people enthousiastic etc) works on different kind of people?
By creating a homogeneous focusgroup (for example, you financial people) and to measure this on a representative sample of this group. Scientific methods teach us that we can draw conclusions on larger groups of people based on measuring only a sample, as long as this sample is large enough. Assessing can also be done qualitatively by asking people, in dialogue, what they think that would be helpful to themselves and their colleagues.
How do you stimulate the correct behavior when 'most people' will work from home after Covid 19?
By first defining very specifically which behaviours are the ones that are important in this new situation. These are different from working from the office. Behaviours such as locking your computer now becomes less important, whereas using safe applications for video conferencing is of increased importance. The next step would be to ask people what is withholding them from these behaviours. Do they know it is required? Do they know how it works? Does it function properly? Do they think they are able to do what you ask from them? Do not assume you know the answers! Assess! This provides you with valuable information which you can act upon.
If you have any remaining questions, please contact us at email@example.com.