“Never work with children or animals” is how the famous showbusiness adage goes, and if you looked on LinkedIn on any given week, you would see plenty of cyber security professionals who would add “end users” to that list.
So, it was with some trepidation that I took on the task of creating a global cyber security awareness programme for all the employees of a company. Starting with a phishing simulation to baseline the current awareness, the results were dire. I was starting to think all those people on LinkedIn were right.
In the hope of better results, I created what I thought was the most obvious phishing simulation there had ever been. It involved a fictitious banker for a central bank that does not exist, wanting to transfer a large amount of cash, and in return you would be generously rewarded in used 50-dollar bills. The email was littered with spelling and grammatical mistakes, and everything else I could think of to make it obvious.
A week later the results were in, and it was not good news. It was time for Plan C – it was time to dig deep into the data. So, with a large mug of coffee, I got to work, and I drew some interesting conclusions:
- Culture has a role to play even in cyber security awareness – much of the messaging and phishing simulations did not travel well, whether within Europe or beyond.
- Seniority showed that consistently the worse offenders were the most senior and the most junior employees – the first because they claim to be too busy and the latter because they are used to just clicking on things, installing apps, etc.
That said, the most interesting and surprising culprits to me were those who were either cyber security professionals or those who thought they were cyber security experts! It was this group of people that, by size of population, were the worst offenders – from people trying to investigate an email on networked devices to others sharing the email with everyone they knew to say they had found it. Yes, they had spotted that it was a phishing email, but their actions actually increased the proliferation of that email and, had it been real, increased the risk to the company.
Beyond this, though, the key learning was that allowing for diversity and inclusion is as important in a cyber security awareness programme as it is in advertising or other forms of communication. To give some examples, a message that might strike home in the UK, for example, might not work in the same way in France or India or Australia. For a company working across multiple cultural and geographic boundaries, it is critical to consider a regionalised messaging programme. The underlying cyber security principles remain the same, but the messaging needs to be localised for maximum benefit.
Inclusion also plays a part. An example could be neurocognitive inclusion. If you think that, on average, 20% of the population is dyslexic, and that is only one example of neurodiversity, then my email purposefully littered with spelling and grammatical errors may not have been as obvious to them as I had intended. Equally, the same could apply to anyone whose first language is not English.
Let’s circle back to the beginning: should users be considered part of that adage? What I have learned this year is that “no”, they should not. The reality is, the way we – the cyber security community – have been teaching people about cyber security awareness was and still is failing to get the message across. We need to learn from the world of marketing that we need to consider psychology as part of these programmes, while also accounting for a diverse workforce.
Chris Cooper, CEng FBCS CITP FCIIS CISM, is a cyber security strategy and CISO advisor, and a member of ISACA’s Emerging Trends Working Group.
