Given the majority of all successful cyber attacks involve some form of human error, ITPS explores whether you can really scare people into better online security
Its often assumed you can change the way people behave using fear. The fear of making a mistake or creating the security issue within the business we try to relate this to something other than security. Think of the tumours depicted in anti-smoking ads. Or the car crashes that feature in campaigns against drink-driving. In the security realm, think of pictures of faceless cyber criminals in hoods, or tales of single clicks inverting peoples lives.
The tactic seems simple: say something scary, change how people behave. But does the tactic actually work? Can a big dose of fear really make people more vigilant in relation to security online?
What the experts say
In an effort to understand how fear impacts peoples online behaviours, ITPS recently consulted human cyber security experts CybSafe, whose multi-award- winning software is currently revolutionising the human aspect of cyber security.
The answer isnt black and white, CybSafe Head of Behaviour Science Dr. John Blythe initially said.
In a small number of cases, fear might change peoples behaviour. But in the overwhelming majority of cases, fear appeals are worse than useless.
When you share a scary message, Dr. John explains, the majority of people actively avoid it. Particularly vulnerable people are especially likely to bury their heads in the sand. That might seem counterintuitive at first. Why would vulnerable people ignore messages that could, when heeded, prevent a great deal of heartache?
It turns out theres a very good reason.
Why fear isnt as powerful as we think
Every day, the risk of catastrophe looms over all our lives. Its omnipresent and its never going away. We could ruminate on every impending catastrophe we face, explains Dr. John. Or we could decide not to worry too much until we absolutely must.
Constantly worrying is detrimental to our mental wellbeing (picture waking up every day in a pit of despair). So, to keep us functioning, humans are blessed with what psychologists call an optimism bias. We accept catastrophes happen. But we find it difficult to accept that we might experience a catastrophe first hand.
So when IT heads explain the horrifying consequences of cyber attacks, we pretty much just ignore them, CybSafe CEO Oz Alashe notes. We all already have a lot to do. And were going to get it all done before 5:30pm.
What works instead?
Fortunately, just as scientific research reveals what to avoid in security training, it also reveals what to do instead.
IT teams are better off empowering people, advises Dr. John. To change how people behave online, people must feel capable of preventing cyber attacks. And they must feel capable of preventing cyber attacks while getting their jobs done.
According to CybSafe, empowered people become a formidable cyber defence. And CybSafe would know: their platform continuously measures human cyber risk to ensure its in-built security interventions actually work.
We cant scare people into preventing cyber attacks, says Oz Alashe as a closing remark. That might be so but perhaps it doesnt matter. Through empowering messages, people can still become a cyber defence.
CybSafe is an official partner of ITPS. You can find out more about CybSafe and their next-generation security awareness software through an ITPS security event, or by contacting an ITPS expert at contact@itps.co.uk or calling 0191 442 83 00
