Human language

The role of psychology in improving safety culture


What we have learned

When using the Human Cyber ​​Index within an organization for the first time, we usually find that it faces the challenge of changing people’s perception that cybersecurity is beyond their capabilities or remit and is a highly technical or skilled discipline. Sometimes the initial completion rates for mandatory training are low and the information security team does not have the visibility and reputation required internally for trusted advisors. In this environment, cybersecurity is seen as just another in a long list of boring compliance initiatives.

We have also learned that not all people in an organization approach information security in the same way. Age matters, for example. In many cases, the younger employees – those in “Generation Z” – are comfortable with the use of technology, but this does not always translate into familiarity with cybersecurity. In contrast, we find that while older generations generally have a greater instinct for privacy and security, they are not always as comfortable with the IT products provided by their organization.

For the most part, we have found that people care about cybersecurity and take it seriously, but sometimes face the complexity of policies and processes.

Psychology and cybersecurity

Businesses can fight the myth that cybersecurity is a purely technical subject by teaching their employees the psychological aspects that dominate most cybersecurity breaches. Research on this complex subject continues to grow.

An article, on behavior change in the context of cybersecurity, produced by academics at the University of Bournemouth for the British Psychological Society, highlighted how victims of cyberattacks are often psychologically manipulated. Among their recommendations, they called for applying “behavior change principles” to “public and professional environments” in order to “empower individuals to better manage cybersecurity threats”.

Cybercriminals often seek to exploit human tendencies to gain access to systems and data through phishing attacks. These attacks involve a form of social engineering, as they aim to trick employees into revealing private or sensitive information, clicking on links or opening suspicious attachments, by exploiting their pre-existing knowledge or typical behaviors.

As part of our human-centric approach, we simulate phishing attacks and, after training, explain the psychology behind the simulated attack to show people how cybercriminals will try to manipulate their thoughts and actions. In doing so, people have a better appreciation of the behavioral triggers that a criminal might include in a phishing attack.

Introducing the psychological element is a way to focus e-information and content on personal security and not organizational security – the underlying behaviors are the same, but presented differently. We have found that people find it more relevant and are more interested in the topic and want to know more. Along with this, we advocate a competitive element for e-learning initiatives, with leaderboards to reflect and reward those who have detected and reported suspicious emails.

By highlighting the psychological aspects of cybercrime, we have found that people find the topic of cybersecurity more relevant and accessible and this helps them understand that they have more control over this situation than they realize. . This is an essential part of creating and maintaining a culture of safety and the design of policies and practices that reflect human tendencies and incorporate safe behavior.


Leave a Reply

Your email address will not be published.