In our latest From the Archives piece, cyber security expert Chris Rivinus looks at how we can take a behavioural and cultural approach to mitigating against cyber risk.
There’s an old saying in sales, people don’t care how much you know until they know how much you care. But care about what exactly? We’ve all had the experience of listening to a well-polished sales pitch by an earnest individual who clearly cares about their product or service – but we’ve been turned off or felt it was a waste of time. A truly compelling sales pitch, one that actually stimulates you to spend or to dedicate time and resources, is one that convinces you that the sales person and their team cares about the same things that you consider a priority.
Organisational governance only goes so deep
Sales and marketing professionals appreciate the disciplines of sociology, psychology and anthropology and their contribution to our understanding of what drives our decisions at a subconscious level. Our social context and national cultures underpin deep seated feelings that dictate much of our sense of right and wrong and our sense of priorities. And those sensibilities tend to be quite different depending on the communities in which you were raised. The foundational elements of any individual’s inherent values and priorities are cemented well before adulthood. The major influencing elements for shaping those foundations are usually associated with community. It’s far more difficult to influence a person’s intrinsic sense of right and wrong by mere organisational governance if elements of that governance conflict with the basic cultural values instilled in staff during their childhood.
That’s not to say that organisational governance isn’t valuable. To the contrary: it’s critical. It tells people what the organisation thinks is right and wrong and what the organisation’s sensibility is around how things should and shouldn’t be done in the office. But effective cyber security isn’t only about behaviour in the office any more. In our always-on, everything-connected world, what you do at home and online in your personal time, dramatically impacts the susceptibility of your organisation.
The challenge for operational risk managers in an always-on world
And this leaves those who oversee cyber security leadership in a bind. How do you create a culture of information security amongst your staff that not only influences behaviour in the office, but everywhere else too? I think most people would agree that extending the scope and detail of organisational governance to dictate behaviour twenty-four seven, 365 days a year, for all of their employees everywhere, is not reasonable, nor would it be received favourably if it was even legal.
The first step is understanding the cultural biases of those who are trying to create and promote governance and how they might differ from the biases of the target groups for those behaviour changes. Cyber security teams not only have to show their audience that they care, they have to show that they care about the same things. If your cyber security teams are simply writing awareness and compliance programme content that they think is compelling to them, they are not only missing an opportunity to maximise the impact of any behaviour change request, but they may actively be turning people off compliance.
I recently conducted an online survey which received 85 responses from British nationals who identified themselves as being in one of three categories:
The survey questions were taken from the work of Dr Geert Hofstede who has spent his professional career studying the differences between national cultures and has authored several books on organisational culture.
Analysis of the survey yields relative scores across six dimensions of culture, each of which indicates a particular set of foundational values and life priorities. The results of the study showed a clear and predictable difference in the underlying values held by the three different professional demographics. For instance, information security/cyber security professionals scored higher on the Power Distance Index dimension (or PDI, which measures the extent to which the less powerful members of organisations and institutions accept and expect that power is distributed unequally) than IT professionals and much higher than non-IT professionals (see fig.1 on PDF).
Higher scores on this dimension speaks to a natural prioritisation of the value for hierarchy, authority and governance more generally. Lower scores speak to a focus on a prioritisation for horizontal collaboration and equality of rights. For anyone who has been in IT for any amount of time, this isn’t really new information. We see this pattern played out time and again in project meetings, requirements gathering sessions and even in security awareness programmes. InfoSec team members champion the merits of control, defence and assurance, whilst the non-IT professionals will not prioritise these elements as highly, inherently more likely to favour openness, knowledge sharing and equality of access. What is important for information security professionals to realise is that resistance to their policies and behavioural compliance efforts isn’t about lazy or deviant behaviour; it’s often about principled resistance along these lines and that resistance may very well not be conscious. It may manifest in an underlying emotion that what is being presented or proposed just “feels wrong.”
Similarly, InfoSec professionals scored higher on the dimension of assertiveness (AST). Higher scores here indicate a focus on results and evidence-based logic as the justification for action, authority or change of behaviour. By contrast, lower scores in this dimension are more likely to indicate there is more value in collaboration and equality of rights.
For anyone who has been in IT for any amount of time, this isn’t really new information. We see this pattern played out time and again in project meetings, requirements gathering sessions and even in security awareness programmes. InfoSec team members champion the merits of control, defence and assurance, whilst the non-IT professionals will not prioritise these elements as highly, inherently more likely to favour openness, knowledge sharing and equality of access. What is important for information security professionals to realise is that resistance to their policies and behavioural compliance efforts isn’t about lazy or deviant behaviour; it’s often about principled resistance along these lines and that resistance may very well not be conscious. It may manifest in an underlying emotion that what is being presented or proposed just “feels wrong.” Similarly, InfoSec professionals scored higher on the dimension of assertiveness (AST). Higher scores here indicate a focus on results and evidence-based logic as the justification for action, authority or change of behaviour. By contrast, lower scores in this dimension are more likely to indicate there is more value in collaboration and experimentation, even if it leads to failure.
My survey results indicate that non-IT professionals are more likely to value the right process being in place over the results that process ultimately produces. Another notable difference is the scoring around the uncertainty avoidance index (UAI) dimension. It’s important to understand this isn’t the same as risk avoidance. Higher scores on this dimension indicate an underlying desire for certainty of a result over avoiding a poor result. (An example would be someone who would rather start a fight than wait around to see if the other party will swing first or not...think Russia.) The scoring in my survey indicates that information security professionals are by and large more comfortable contemplating and preparing for an uncertain future. The fairly large differences in scoring between information security professionals and non-IT professionals may be why warnings of possible attacks are less compelling when intending to use these scenarios to move people to change their behaviour today.
More compelling would probably be real examples of poor compliance leading to actual breach, in familiar surroundings or local circumstances.
Coaching cyber security teams on their messaging
The first thing that information security teams need to do is let go of the idea that they need to win the argument. By and large, people are not going to suddenly align their behaviour to cyber security best practices after being shown yet another graph representing another set of statistics or telling the story of yet another breach. There are simply other value systems at play, driving people to care about different priorities. The next generation of cyber security awareness content will ask: What does my audience care about first and foremost? What are the values driving their priorities? How do I shape my message to appeal to those?
Cyber security professionals are the good guys, working very hard to keep us safe online. And the world is becoming a difficult place in which to feel safe. Anything that will help dress up their messages, help the behaviour changes they advocate stick and anything that will help turn their reputation around from being the team that says “No” to the team that can help your organisation navigate the choppy seas of the information age, is a good thing. The less susceptible your company is to material loss from a breach, the smaller the pie is for hackers and the less likely it will be attractive as a target. That makes the success of your cyber security team not just good for the firm, but good for everybody. The key step is to evaluate the cultural trends and triggers at play in your organisation and help the cyber security team adjust their message and delivery of that message accordingly. This is especially critical if you have a workforce which takes work devices home and is allowed to engage in even limited personal activities, such as surfing the web, or checking personal email, on that device. Once in their home environment, treatment of that corporate device and related data is much more likely to be dictated by cultural values imprinted on them long ago and even less so by any corporate governance they are asked to abide by from nine to five.
To get better results, you have to take different steps
There are a lot of options out there to help both analyse the underlying cultural values of your intended audiences and shape your content to appeal to those value systems. Dr Hofstede’s work has given rise to a number of certification programmes that produce professionals trained to evaluate your corporate culture. Further, the marketing and advertising industry has made a science of outreach and influence. I have seen examples of cyber security awareness programmes rooted in principles from both of these arenas achieve dramatic success over the standard PowerPoint-driven road show featuring the latest bad headlines of cyber breaches in the news and pictures of dark figures in hooded sweatshirts hunched over a keyboard. It can take some effort to find the right fit for your organisation, depending on the maturity of your existing cyber security programme. But making that effort is important, not just for your organisation, but for the good guys in general. Improving the effectiveness of your information security awareness means your company will be safer, my company will be safer, you as a consumer will be safer - and so will I.