The discourse from sellers and resellers, and ‘experts’ on awareness, how to do it well and how to balls it up, insider threat, whether we should care or not, and, the new buzz term ‘human risk’, becomes increasingly tiresome and misses the point.
In a ‘market for lemons’ I talk about how buyers can’t distinguish between good solutions and bad solutions and hence purchase the cheapest, thereby creating a market of lemons and not peaches and stunting progress in a critical domain like cybersecurity. This I understand. We can’t all be experts in everything and understand what’s is put in front of us and whether it is a good investment or bad. In these situations, we will often over-rely on recommendations, influencers, and trends, only further down the road to discover there was actually a newly engineered moving car, when all you purchased was a faster horse.
However. There is some simple logic that goes amiss in the purchase of technical solutions or creation of a cybersecurity strategy…what if people don’t want to play ball? What if they have all the knowledge they need but there are other barriers in place that prevent the evolution of a conducive cybersecurity culture or positive security behaviour? I myself use the term ‘culture’ with hesitance, as culture can mean something very different to different people, depending on their nationality, backgrounds, personality, as well as other factors that may influence attitudes and behaviour such as mergers and acquisitions, economy downward trends, pandemics, and organisational factors such internal culture, communications, relationships with managers, promotion opportunities etc.
These are the fifty shades of grey that exist between awareness and insider threat. Rather than focus on shoving awareness materials down their throat, which are for the most part, irrelevant, generic, and don’t resonate with the hearts and minds of the individual employees. How do we inform and involve them with security and bring them on the journey with us? The system currently relies on volunteers to participate in champion and ambassador programmes, with no evaluation to understand if these individuals possess the security values that make them superb security torch bearers. Worse still, they are incentivised through extrinsic motivation methods which only work in the short term to engage people with security.
To develop a hospitable and productive security environment where employees are engaged with security, we need them to be intrinsically motivated towards security (Lee, Lallie & Michaelides, 2022), so why do we focus so much on knowledge when it is a tiny star in a massive gaping black hole?
Am I talking a different language here? Stop throwing your money away on tick-box solutions that serve only to inform employees as to the cybersecurity threats and how to prevent them, and start paying attention to the tangible, organisational, and psychological factors that are having a massive influence on your employees and whether they have the capacity or motivation towards security.
Start listening, now…or it will be too late.
#cybersecurity #insiderthreat #awareness #projectathena #securityengagement #psycsec