How Organizations Can Leverage Human Nature to Instill Security Culture

The one thing that organizations cannot do without is people. But organizations all too often forget that we’re more than just a workforce; we’re an active part of the organization’s cybersecurity arsenal. Managing people can be tricky. Human behavior is not software that can simply be configured or programmed. While human emotions make us unique and intelligent beings, emotions can also cause misjudgments, making us vulnerable to cyber threats.

Hackers, fraudsters and cybercriminals have a keen understanding and awareness of our inherent flaws and weaknesses, which is why they regularly abuse and target human emotions. But by building a pervasive security culture, organizations can turn human nature into an advantage.

How bad actors take advantage of employee emotions

It’s completely natural to be triggered by emotions such as fear, anxiety, greed and lust. We also trust easily. We are predictable. We have mental biases, beliefs and feelings that often affect our judgment and decision-making. This is why an overwhelming majority of breaches (74%) start with humans.

Cybercriminals are known to social engineer behavior by manipulating emotions: Between 80% and 95% of all cyberattacks begin with phishing .

The latest FBI internet crime report notes that most incidents and cybercrime losses can be attributed to other social engineering schemes like phishing, business email compromise (BEC), investment scams, romance scams, call center fraud and impersonations.  

The role of security culture in managing human emotions

As technological defenses mature, it’s likely that attackers will double down on social engineering to circumvent or compromise advanced cybersecurity systems. The only solution to this growing problem is improving security awareness in employees so they can make smarter security decisions.

However, most organizations don’t realize that knowledge is just one part of the equation and information alone won’t always lead to secure behavior.

For instance, we all know that speeding is against the law, but we’re all guilty of exceeding the speed limit from time to time. Similarly, organizations spend a lot of money training people. Despite these efforts, organizations continue to get hacked because the fact is, even though people receive training, they seldom have the motivation or intent to behave securely (also referred to as the knowledge-intention-behavior gap). So how can organizations sculpt and leverage employee behavior? The answer to this lies deeper in the concept of security culture.

Security culture is the ideas, customs and social behaviors of a group that influence the security of an organization. Think of culture in this way: You see a hallway in your office, there’s trash on the floor. There’s nobody around, no cameras or colleagues. If you pick up the trash and throw it in the bin without anyone seeing or thanking you, then basically that’s your culture at work. The same concept applies for security. The idea is to develop the right attitudes and value system so that people act securely without anyone telling them. 

Building an organizational culture that values security

Even if organizations do not invest in cultivating a culture, it always exists in some form. If culture is not controlled, it could manifest into something that the organization does not want or need. This is why it’s important to track and foster security culture. Here are some best practices to keep in mind:

Assess your cultural baseline

If you don’t know where you are, then it’s hard to know where you’re going. Organizations can improve security culture by conducting surveys (computer-based surveys that help understand the values, attitudes and beliefs in the organization); culture maturity indicators (i.e., training frequency, average attendance, click-through rates in phishing simulations, frequency of security incidents being reported); face-to-face interviews as well as data collected from security controls, such as endpoint protection platforms, user and entity behavior analytics and data leakage prevention. Once a baseline is determined, chart out a plan, keeping desired metrics and goals in mind.

Engage leadership

Leaders don’t just control budgets; they’re also in a position of power and influence. This is critical. Culture is top-down — and it’s contagious. What’s more, employees need to understand why you’re doing this, what is expected of them and the value to the business. Not only is it important to track culture from a maturity perspective, but it’s also necessary to measure and report it in terms of return on security investments, such as reduction in security incidents over time, reduction in downtime, improvement in scale and performance.

Use positive reinforcement

You can’t force security onto someone. You must be empathetic in your approach when training people, keeping their feedback, requirements and current level of security maturity in mind. Positivity and encouragement work. If people are rewarded, it improves the likelihood of them repeating the desired behaviors. If you punish people, you risk losing their loyalty and focus. Studies show that continuous reinforcement leads to behavior change. Therefore, organizations must run regular phishing simulations and bite-sized training sessions at regular intervals so that employees are constantly reminded of their own responsibility and accountability toward security.

Security culture is an evolution, a journey — not a destination. It takes a great deal of effort, and it needs collaboration from leaders and employees. A positive security culture is the only way to offset opportunistic cybercriminals from exploiting employee emotions for their misdeeds.