Three ways to change employee’s attitude towards cybersecurity

Security is not predominately a technical or business problem but a behavioural problem, leaders need to change the way their employees think about cybersecurity to help reduce risk in the organisation.

Mary Mesaglio, distinguished VP at Gartner's CEO and Digital Futures group spoke to attendees at the Gartner Security and Risk Summit in Sydney about the three ways technology leaders can make their employees more attuned to cyber risks in the business.

Mesaglio said one of the myths leaders think about cybersecurity is that if they show how important being cyber secure is, employees will take ownership.

She said that humans would rather an immediate gratification rather than delayed gratification.

“The problem there is delayed gratification. So human beings are not bad at change, they're actually not going to change,” she explained.

To rectify this, Mesgalio said organisations should make cybersecurity everyone’s responsibility, not just the CISOs.

She said there also needs to be immediate gratification to be more secure.

“You absolutely need to make this easier for people and you need to make it more appetizing. If you really want to change behaviour, you need to give people a reason, there has to be some kind of meaning behind all of it,” she explained.

“Explaining rational arguments for why people should change behaviour will not yield the behavioural change you're looking for, you have to make the message meaningful and emotional in order for people to start to care.”

Reporting incidents

Security leaders need to understand that most of the time when an incident happens, their employees will not report it, Mesaglio explained.

A Gartner report showed that 35 percent of employees wouldn’t let IT know they’ve opened a phishing email in fear of being disciplined and 33 percent were afraid to be shamed by the company over the same instance.

She said feeling exposed or vulnerable has a paralytic effect on humans and leaders need to help users to overcome that effect.

To counteract that, Mesaglio said reporting an incident like clicking on a phishing link or sending sensitive information over an unsecured network should be considered less risky.

“It is our job to make it feel like the least risky option is for someone to report something, to get over that shame and to not be fearful of it,” she explained.

“You have to make it feel like it's the least risky option. Model the behaviour you want and say, we're all going to become victims of phishing attacks.”

“Making it seem less foreign, less risky, less shameful is a good idea,” she added.  

Changing security awareness

Security leaders need to understand that traditional security awareness training doesn’t work, Mesaglio explained.

Gartner research showed that 93 percent of employees acknowledged that they knew sharing passwords, and sending sensitive information on an unsecured network would increase the risk to the organisation.

She said, “Traditional security awareness programs don't work. They don't work because they're focused on awareness.

“We need to be focused on behavioural change. If you want people to behave in a security-conscious way, you need to make it easy, you need to remove the friction between them and do the right thing.”

So to make employees understand the need to be risk-averse, Mesaglio said leaders should make it feel like “cognitive ease”.

She added, “That is the way to get to behavioural change, not making them aware, not telling them it's important, people don't change because things are important, they change because they’re easy.”