By the time you need to change behavior, it’s often already too late, and so interventions can prove fruitless. This article outlines three examples of intervening techniques that aim to prevent damaging behaviors and aligns them with real-world cybersecurity scenarios.
Scenario One
Imagine a child who has a sweet tooth but the child understands that if she has too many sweets, then it’s likely that she’ll need to go to the dentist more often, which she doesn’t like. Her school educates her on the importance of a healthy diet and the parents lead by example and do their best to eat healthily at home. The child learns that it’s okay to have sweets, but perhaps a moderate amount on a Saturday. Through education and awareness, good role modelling and a number of other variables, from an early age the child had the best chance of success, with the right support available. This is called ‘primary intervention,’ trying to prevent a problem from occurring.
An example in terms of cybersecurity might be ensuring the onboarding process is up to scratch, not only in terms of training, education and policies, but also in other factors, such as first impressions and getting on the right foot when it comes to the employer-employee relationship, along with avoiding those destructive psychological contract breaches.
Scenario Two
Now imagine a teenager who has a sugar addiction and has been emptying the cupboards at home of chocolate and biscuits and hiding wrappers under his bed so as not to be found out. He knows it’s wrong and that it’s not good for him, but as the problems haven’t materialized yet, he thinks he can get away with it. However, he is ashamed, concerned his teeth and health will suffer and wants to get control of the situation. He informs his parents who support him to ‘kick the habit’ and replace his sugar addiction with healthier options. This is known as ‘secondary intervention,’ trying to detect a problem early and prevent it from getting worse.
In terms of cybersecurity, this may be noticing a general ‘relaxed’ approach to security, such as users leaving their PCs on when they walk out of the room and not wearing ID badges (easier to notice when in the office but not so easy to ascertain when employees are working from home!). There may have been a series of minor incidents, such as clicking on phishing emails, that were then quickly reported. However, the organization knows it’s only a matter of time before there’s a serious catastrophe.
So how does the organization deal with it? They may inject more money and time into their education and awareness programs, train managers to be more vigilant as well as more supportive, and probably commission technology to try to control the behavior of employees and prevent further harm.
Scenario Three
Imagine a lady who has suffered with years of depression, which began after the birth of her first child, and left her 50kg overweight and too ashamed to leave the house except to go to the supermarket. She lives alone and her parents try to help but she doesn’t answer the phone and so has so far unfortunately not undertaken any significant change of behavior.
That’s not to say that it isn’t entirely feasible for her to get the support she needs externally and take steps to improve her health, but the road is long and uphill. She would have to pay for a range of people to come in and coach her to eat well, exercise and maintain a healthy lifestyle. However, support is expensive. This is called ‘tertiary intervention,’ trying to improve a situation following a negative outcome.
In terms of cybersecurity, this can be a major catastrophe involving the loss of millions of pounds, and worse still, the loss of human life.
This is when all hands are on deck and organizations heavily invest in their infrastructure, technology and process, but still manage to forget about their people, even going as far as to call them ‘the weakest link’ or blaming the catastrophe on ‘human error,’ completely ignoring the context, historical events leading to the incident or the reasons why it may have happened.
Organizations are often quick to assign blame and separate themselves from the blamed individual so as to protect their own reputation. What they don’t realize is that they are only adding more fuel to the fire and the vicious circle of firefighting and relying on tertiary interventions continues.
Wouldn’t it be better to understand the real cause? Or even better, wouldn’t it be ideal to prevent the destruction BEFORE it happens? Invest in your people, now, before it’s too late.
Read more at Infosecurity Magazine
Nadine Michaelides