Cyberattacks mainly target individuals, not systems. The vast majority of cyberattacks can be traced back at human errors. When you think about cybersecurity for your company, it is important to consider your company's culture. Based on human psychology, the authors have developed six strategies for leaders to counter information security risks. It is a good idea to ask employees to show commitment by signing a formal agreement. This will increase the likelihood that they will follow through. Employees will follow the example of senior leaders if they are set a good example. The third way to get people to reciprocate is to give something to them with no expectation of return. People will go to great lengths to obtain rare or scarce items and will do whatever it takes to get them. People are more likely to be influenced by people who are similar to them or like them. People are more likely than others to comply with requests if they are made by an authority figure, so bosses who are skilled are likely to listen to their teams.
The FBI reports that cybercriminals stole $26 billion from October 2013 to July 2019. This scam used deceptive social engineering techniques and social engineering tricks to lure employees and others into disclosing their credentials, and then allowing them to make unauthorized transfers. A cybercriminal impersonating a MacEwan University staff member and asking for the modification of one of its vendor's bank account information, MacEwan University was defrauded of $11.8 million in 2017. Another report, which covered 31 countries and accounted for 85% of the global GDP, estimated that online scams would cost 36 billion dollars in 2019.
Security-based offenses can cause a company's reputation and productivity to be tarnished. It was embarrassing for the company when 130 Twitter accounts of high importance were hacked in 2020. This was due to a serious security flaw that was then exploited by a low-tech 17-year old. This vulnerability caused the stock price to plummet by $1.3 billion, even though it was temporary. It could have been worse: Directors and senior managers can be held liable for security breaches.
These hacks are largely caused by individual behavior flaws. Attackers exploit people's willingness to trust requests and click on links or open attachments containing viruses. In 99 percent of breaches, the human factor is considered to be the most dangerous attack target. Researchers used human psychology to penetrate 96% of security systems at 1,000 banks over a five-year period.
How can business leaders decrease this human-based liability. When it comes to protecting information and making investment decisions, leaders logically depend on their security department. This approach is too narrow. To create a security-aware community, everyone must be fully committed to doing more than the mandatory one-to-two-day training. Leaders can help their team adopt certain attitudes and behaviors to create a security-aware culture.
Cialdinis research into the principles of influence revealed six principles that, if used, can encourage people to follow their lead or comply with requests.
People follow the same behavior as they did in the past. Future behavior will mirror the past, regardless of whether formal or informal commitments were made. People are influenced largely by the behavior and opinions of the majority. People look outside for clues when they are unsure of how to think or act. One of the most effective ways to get back favor-giving is through reciprocity (or giving something to another person with no obligation to return it). People will go to great lengths to obtain rare or difficult items and will often make extra effort to find them. People are more likely to be influenced by people who are similar to them, or to those they like. This is why they flock to birds with the same feather as they are. Requests from someone in authority roles (or with the bare accoutrements such as white jackets, authority badges, and business attire) are more likely to be granted. These are some examples.
We recommend six strategies based on Cialdinis principles to strengthen the human firewall against deceitful techniques of criminals, and to foster an organizational culture that is security-aware.
1. Ask employees to sign a Security Policy.
Signing a code or ethics is a sign of commitment. It encourages people to keep their word and helps them to be more cognitively and behaviorally consistent with the codes. These policies are written commitments which state that employees will treat sensitive corporate information (e.g. customer and contractual data) with confidentiality, act in the best interests of the organization when on- or offline activities take place, and immediately report any suspicious events to the appropriate internal point of contact. Employees agree to not reveal any sensitive corporate information outside of the organization.
It is important to state clearly in the policy which information is considered sensitive and which information is not. You can't ask employees to refrain from complaining about company cafeteria food via social media, but you can ask them to not disclose client lists.
CISCO, for example, requires employees to sign a code to conduct every year that reminds them how they can protect intellectual property and confidential information assets. The company demands that employees do not share confidential or proprietary information without a legitimate business use for it. They also require them to report any violations of this requirement. Employees may be discouraged from reporting suspicious activity if there is a culture of blame. However, it is possible to make sure they are clear about the reasons and ask them to sign a policy that outlines their responsibility to report any violations.
It is important to make sure that a commitment like this one is voluntary. If it is forced, the internal urge to commit will be less strong. The act of signing creates consistency pressures both inside and outside the workplace, which increases the likelihood that employees will follow company standards. It is best for employees to sign the agreement in the presence of colleagues. Employees feel obliged, once the commitment has been made public, to adhere to it, lest they lose face before their respected colleagues.
2. Be an example.
People look around for clues to how to act and think in uncertain situations. This behavior can be described as conformity on one hand but it can also be seen as a way for people to come up with a common understanding about correct or acceptable behavior. Especially when the others are well-respected, it helps reduce uncertainty.
Senior leaders should therefore lead by example and encourage best-practice behavior.
They should stress the importance of security behavior, such as not leaving one's computer unlocked, not opening company doors to anyone without verifying their legitimacy, not exposing company documents (digital or physical) in public places. Leaders should also give contrasting examples of security violations where they were either negligent or had careless behavior reported. This will reduce the feeling of invulnerability among employees.
3. Elicit reciprocity.
It is a social norm that says that if someone gives something to us, we are obliged to return it. Even if the original gift was not requested, or even if the item being returned is much more valuable than it was before, this urge is strong. Reciprocity is important as often, the return favor is not conscious.
This powerful influence technique should be known by senior leaders so that they can use it to build a culture of security awareness within the company. It is a good idea to start to encourage reciprocity by giving employees access to encrypted flash drives and digital photo frames that display security reminders.
4. Use scarcity to your advantage
Rare, difficult, or expensive objects are more appealing to people. This psychological tendency can be used by senior leaders to promote organizations with rare and exemplary security accreditations (e.g. ISO 27001), which could be compromised by a security breach.
Senior leaders can increase employees' commitment to a secure culture by communicating clearly to their workforce the organization's attractiveness as a place to work because of its security culture. Senior leaders should encourage the establishment of a classification system to distinguish sensitive and innocuous information. Employees will develop a sense of what information is important and be able to protect it.
5. Follow the example of those who lead.
Security professionals stress the importance of empathy for interpersonal situations. People are most affected by people they like and identify with. Leaders can build trust and rapport with their workforce if they show humility and empathy. Leaders who are vulnerable will likely receive sympathy and empathy in return. This can in turn encourage compliance with senior leaders' directives regarding ideal security behavior. They can share their experiences and tell stories about how they have learned from their mistakes in security culture. This makes them more approachable and easily identifiable.
6. 6.
Organizations often require their employees to complete an annual training in digital security. Employees may click through the content but not connect it to their everyday lives. Employees will respond more positively to the instruction of senior leaders to make sure they adhere to corporate information security. There is a catch. Leaders must be trusted sources and not just the boss. This is the difference between being an authority figure, telling the workers what to do, or being viewed as an authority and knowledgeable about the subject. Combining both is more effective.
To effectively implement their directives and orders, senior leaders must demonstrate their knowledge and expertise in information security issues. This can be achieved by maintaining a strong relationship with their information security team and keeping the workforce updated about security developments. A good place to start is to subscribe to newsletters such as those from SANS. This might seem contrary to the previous recommendation (Be like those who lead). Leaders can be both authoritative and humble while still being compassionate.
Social engineers and scammers often use influence tactics to deceive employees. This can threaten the reputation and value of your company. These six suggestions are a cost-effective and easy way for leaders to combat information security risks using proven principles based on human psychology.