From awareness to behaviour change: The micro-foundations of cybersecurity culture

Many government and private sector leaders are moving toward a risk-based approach to cybersecurity. This shift recognises that the capacity and capability to address all cyber risks equally is impossible in today’s all-encompassing digital environment. However, while people, culture, and behaviour remain the core risks in cyber security assessments and post-incident analyses, these areas still need to be better understood and treated. 

Verizon’s 2023 Data Breach Investigations Report tells us that “74% of all breaches include the human element”. This is down from 82% in 2022, a decline likely due to chance than good management. The concern is that while it is often stated that people play a large part in cyber incidents and breaches, the remedies are often ‘more training’ or ‘more compliance’ or ‘more communication’. We need a better-quality response.

We live in a house technology-built

We treat the challenges cyber presents to the stability of our business operations as a new and unique problem. It’s not. The social dynamics of technology are well understood. For example, in Plato’s Phaedrus, Socrates tells of King Thamus and his concerns about the consequences of introducing letters and writing to the general population. These innovations promise to enable greater wisdom, like our digital technologies. 

In periods of rapid technological innovation, organisational maturity lags. The gap between new technology and the maturity to use it effectively is a capability gap. The more quickly leaders can close the gap or the organisation can absorb and integrate the technology, the more capable the organisation becomes. 

However, our organisations are not empty vessels. People evaluate each new technology against prior experience. They compare it with something familiar and judge it. They apply it as a tool that suits them rather than as the tool might have been intended. They reconcile the technology with the prevailing policy, procedures, and, importantly, the culture of the organisation and the workplace.

To successfully introduce new technology, there is a need to build bridges between existing social and workplace practices and technology. Our notions of ‘disruptive innovation’ and the internal and external urging to transform rapidly are optimistic about how organisations adapt to change. History clearly shows how vigorously culture fights back! This is where the challenge begins for cybersecurity.

Five propositions about people and cybersecurity

It is easy to be overwhelmed by the human side of cybersecurity. This is partly because it is not about cybersecurity but organisational culture, leadership, and design. The following propositions are posed in a way that can be used at different levels of leadership. Specific actions can be taken in relation to each proposition, but the most effective response will be to address them through integrated strategy and action planning. Together, they form the micro-foundations for a positive cybersecurity culture. 

1. People play a large role in cybersecurity incidents and breaches. 

This needs to be accepted. People will remain central to work and organisation. However, there is a need for a layered approach to developing a positive information cybersecurity culture where governance, leadership behaviour, individual behaviour, and team culture are mutually reinforcing. Additionally, a stronger orientation in cybersecurity policy toward shaping and measuring the cultural and behavioural drivers of positive cybersecurity risk culture would also be beneficial. The objective is to work with people as part of cybersecurity risk rather than discounting people or placing the workforce outside the problem.

2. The risk human behaviour poses to cybersecurity is persistently high. 

On the one hand, there is a tendency to say that a successful cybersecurity response depends on trust and, on the other, to design people and behaviour out of the cyber risk response. People will continue not to listen, make mistakes, get bored, think they know better, and click on links they shouldn’t. The more interesting question is, ‘Why do they do this?’. Despite the clear policy, more training, persistent communications, and incentives to comply, why do people continue to present as a substantial risk in incidents and breaches? Maybe, the problem is not the people. 

Suppose we start from the premise that most people are good and want to do the right thing. In that case, our approach to reducing cybersecurity risk should spend less time questioning individual behaviours and more time understanding the leadership and organisational context that leads good people to engage in behaviours inconsistent with reducing cybersecurity risks. Our risk assessment could be focused on the wrong scale level. 

3. Whatever we are currently doing to mitigate the cybersecurity risk of human behaviour is not working.

To continue walking past the persistent fact that a substantial proportion of breaches and incidents is self-defeating. There is a need to think differently about the issues and opportunities. This could start by changing the cybersecurity narrative. Our organisational cultures are cultivated through the daily micro-stories we hear and tell. These stories show us what good and not-so-good behaviour is. The most powerful cultural influences on workplace behaviour are local. It is the conversations we have with our peers and colleagues that shape our behaviour. 

Our cybersecurity stories are often grounded in compliance, laced with fear, and bound in jargon. And, for the security professionals in our organisations, these stories are everywhere in the news and all the time. An integrated approach that improves the overall coherence of cybersecurity messaging can provide a framework into which internal and external micro-stories can be easily accommodated in ways that reduce risk.

4. The problem of human behaviour in cybersecurity is multi-sided. 

To reduce risk, cybersecurity professionals depend on the quality of their relationships with other organisational functions, particularly IT, HR, Finance and Communications. 

Cybersecurity professionals operate in a ‘marketplace’ of relationships where interdependent risks are traded and managed. Daily performance depends on effectively navigating the interests of permanent employees, contract employees, contractors, third-party providers, line managers, stakeholder organisations, competitors, and the community. A thousand everyday decisions about these relationships aggregate to define how cybersecurity risk is mitigated.

The job of cybersecurity professionals is to manage and coordinate relationships to achieve a collective outcome. So, effective cybersecurity is as much about negotiating with other parties and functions to improve cybersecurity performance as it is about deploying resources to reduce risk.

This approach could lead to a different understanding of cybersecurity risk and performance and a different set of success measures.

5. There is a need for a comprehensive model of human behaviour in cybersecurity that can support a multi-dimensional approach that shifts from seeing people as ‘the problem’ in cybersecurity to seeing ‘people as the solution’.

Organisations and workplaces are going through a profound change that has implications for cybersecurity risk. For example, reduced staffing leading to increased time pressure and burnout increases the risk of error and heightens cybersecurity risk. Similarly, the rise of ‘quiet quitting’ can lead to a surge in employee cynicism, reduced commitment, and increased disengagement. This can also heighten the cybersecurity risk through both unintentional and deliberate actions.  

Human behaviour in cybersecurity is complicated but not impossible

Our response to reducing risk should not be isolated from the ongoing pressures of organisational change or the persistent characteristics of human behaviour. 

There is a need for an approach that better meshes people’s experiences of work with the micro-stories that are the local foundation of a positive cybersecurity culture, with the underlying motives and motivations that drive and shape human behaviour, and with the day-to-day mental models and decision biases that contribute directly to human behaviour in the workplace. 

Ultimately reducing cybersecurity risk involves embracing the desired, foreseen, and unforeseen consequences of bringing people and technology together in the workplace, both positive and negative. 

Bringing digital technologies into the workplace is more than just the existing people plus the new technology. It is a new system with an altogether different capability and different behaviours. This is why the cybersecurity challenge is dynamic, and people will always be at the heart of reducing cybersecurity risk.