Organizations spend an incredible amount of money every year on cybersecurity. Considering the increasing threat landscape and the rising cost of security breaches, it makes sense. What remains frustrating to many cybersecurity professionals, however, is that all the advanced security controls in the world can be negated by one curious employee who bites on a phishing email or makes a risky cybersecurity decision without involving the security team.
Admittedly, securing this “human firewall” is a difficult task. Currently, many organizations implement cybersecurity awareness and trainings to prevent employees from inadvertently granting malicious attackers access to sensitive data. But these trainings haven’t evolved, and, unfortunately, they are often just plain boring. By leveraging behavioral psychology to provide insight into your employees’ relationships with risk, cybersecurity awareness education can be made more effective and fun.
Leveraging Behavioral Psychology for Insight into Your Employees’ Relationships with Risk
Previously, we looked at Risk-Takers and Risk-Breakers. While these risk profiles differ in their tolerance for risk, they both tend to operate within whatever rules have been set forth for them. If told outright not to do something, these two risk profiles are not likely to do it. Not everyone, however, is so keen on staying within boundaries.
Maybe you’re the type to question rules, not necessarily because you disrespect authority but because you’re curious what could be accomplished if you stepped a little outside the lines. Presented with a mysterious big-red button and told not to push it, you can only help but wonder what it does, but you are only willing to find out if the risk is low or no one will find out. If this sounds like you, you might be what we call a Risk-Shaker: curious and self-directed.
Cybersecurity for Your Personal Risk Profile
Learning about your personal risk profile can be insightful and fun, but its true benefit is opening the door to more personal and impactful education. With your risk profile in tow, education can be specialized to accommodate you, instead of a one-size-fits-all solution. More engaging cybersecurity educational content leads to more cyber-aware employees, and more cyber-aware employees leads to lowering your enterprise’s cybersecurity risks.
ISG and cyberconIQ are partnering to offer an innovative, style-aligned education so we can all play a stronger, more mindful role in cybersecurity. Contact ISG for more information on how cybersecurity education that targets specific risk profiles can benefit your organization.
About the authors
Doug Glair is a Director in ISG’s cybersecurity practice. Doug is a cybersecurity and supply chain leader with remarkable background leading, designing, and operating large enterprise-wide cybersecurity and supply chain programs. Exceptional relationship builder and collaborator with proven ability to deliver improvements in cybersecurity risk posture using established standards, industry leading practices and ROI-driven controls.
Dalton Cravens is an Analyst at ISG.