Transformation is not education or training: Cultural cyber security
Updated: Jan 21, 2018
October 12, 2017 | Dr James Carlopio
Transformation is an often mis-used and over-used term. Transformation is a deep psychological intervention affecting peoples’ values, attitudes and beliefs. A caterpillar is irrevocably and unrecognisably transformed into a butterfly. When something becomes personal, relevant and important, to a human their views of it fundamentally transform. Education and training provide information about a topic. The information and knowledge gained helps us to do something we were previously unable to do, but it does not intervene deeply nor fundamentally change our values, attitudes and beliefs.
Transformation happens when people realise that something is personal, relevant and important to them. For example, when people have an ordinary untransformed view of safety, they think safety policies and safety gloves and eye-protection is an inconvenience and a pain. A permit and job plan is not necessary for them because they know what they are doing. “I have been a carpenter for 20 years. I know how to use a hammer and a saw. I am a professional. Don’t you think I know what I am doing?” People think they are safe because they have not been seriously hurt and it won’t happen to them. Yes, of course, they know serious accidents and near-misses happen, but they happened to others.
Untransformed people think they know what they are doing and know how to do it safely without all this nonsense! Safety professionals and managers trying to impose policies and procedures on them are thought of as meddlesome, micro-managers, who are trying to tell them how to do a job they know well and have done a-thousand times.
Once transformed, however, their thinking is different. Once people have internalised the relevance and importance of safety to the point where they choose it, it becomes a part of who they are affecting their values, attitudes, beliefs and ultimately their behaviour. They may have seen how other skilled-trades people have been hurt, not because they were incompetent, but because accidents happen and people become complacent. The holes in the swiss-cheese all line up (to use a phrase from the safety industry) and something gets through our guard. Once transformed, people understand it is not a matter of experience. Experienced people get hurt and killed as well as novices. Once safety has become personal, relevant and important people remember they want to go home safely and they start proactively looking after themselves, their mates and their families. We know they have transformed their thinking because they wear safety boots, not flip-flops, when mowing the lawn at home because they choose safety. Of course, if someone is seriously injured it transforms their values, attitudes and beliefs. By then, it is too late for prevention. Our job is to cause the transformation before it is too late.
Similarly, when people first confront cyber security, their thinking is un-transformed. Yes, cyber breaches and identity theft, phishing scams and ransomware happen, but they happen to others. Cyber security is not yet personal, relevant nor important to them. They view security policies and procedures, along with passwords, as a pain and an inconvenience. “I have been using a computer for 10 years. Don’t you think I know what I am doing?” Professionals and managers trying to impose security policies and procedures on them are thought of as meddlesome, micro-managers, who are trying to tell them how to do their jobs – sound familiar?
Once transformed, however, our thinking about cyber security different. Once transformed, people have internalised the need for cyber security to the point where they choose it because it is now part of who they are. Once transformed, cyber security, constant vigilance and high-performance are fundamental parts of their values, attitudes and beliefs. They know cybercrimes happen, not because victims are incompetent, but because cybercrimes happen and people become complacent. The holes in the swiss-cheese all line up and something gets through our guard. One transformed, people understand it is not about experience or time on the job. Once cyber security becomes personal, relevant and important people think and behave differently. They are aware they want to protect their children, their families and friends, their co-workers and the reputations of their companies. We know they have transformed their thinking because they are safe-cyber at home because they choose it. Of course, if someone is scammed it transforms their values, attitudes and beliefs. By then, it is too late for prevention. Our job is to cause the transformation before it is too late.