User education is not the solution to cybercrime … cultural transformation is!
Updated: Jan 21, 2018
October 17, 17 | Dr James Carlopio
A recent study suggesting that money spent on cybersecurity education was wasted, as user-introduced threats continue to rise, is a long time coming. Of course education does not improve security. Why would anyone think that it would? That is like closing the barn after the horses have bolted. How could educating people about cyber-threats and the viruses that have already happened, as well as the social engineering scams we know of, be expected to help stop them from falling for the next one? There will always be someone who forgets to update their software or forgets to install appropriate patches or thinks their grandchild really needs helps or the CEO really wants them to send money to HK. Think of the safety analogy. How in the world do we think that educating people about all the injuries that happened over the last year is going to keep the next accident from happening? Education in this case is reactive and too late.
Similarly, there is not ever going to be a technical solution that makes us 100% secure. Whatever we try, it will be a red flag to a bull. Hackers will find a way in, over, around or through it. They will eventually out innovate us every time because given sufficient time, money, energy and resources, any technical solution that was created by a human can be hacked by another human. There never was a castle wall, no matter how big, strong or thick that could not be chipped away or under-mined.
The one and only thing that we can do is to focus on culture. As with safety, we can never achieve zero harm or total security, but we strive for it. When we striving for it, we drastically reduce our near misses, our LTIs (lost time injuries), our accidents and fatalities. Similarly in cyber security, we can never be 100% secure, but we can strive for it. When we focus on developing a high performance cyber security culture we will similarly reduce near misses, LTBs (lost time breaches), intrusions and fatal breaches.
How do we transform our culture? Transformation is a deep psychological intervention affecting peoples’ values, attitudes and beliefs. A caterpillar is irrevocably and unrecognisably transformed into a butterfly. When something becomes personal, relevant and important to a human, their views of it unrecognisably transform. Education and training provide information about a topic. The information and knowledge gained helps us to do something we were previously unable to do, but it does not intervene deeply nor fundamentally change our values, attitudes and beliefs.
Transformation happens when people realise that something is personal, relevant and important to them. For example, when people have an ordinary untransformed view of safety, they think safety policies and safety gloves and eye-protection is an inconvenience and a pain. A permit and job plan is not necessary for them because they know what they are doing. “I have been a carpenter for 20 years. I know how to use a hammer and a saw. I am a professional. Don’t you think I know what I am doing?” People think they are safe because they have not been seriously hurt and it won’t happen to them. Yes, of course, they know serious accidents and near-misses happen, but they happen to others. Untransformed people think they know what they are doing and know how to do it safely without all this nonsense! Safety professionals and managers trying to impose policies and procedures on them are thought of as meddlesome, micro-managers, who are trying to tell them how to do a job they know well and have done a-thousand times.
Once transformed, however, their thinking is different. Once people have internalised the relevance and importance of safety to the point where they choose it, it becomes a part of who they are affecting their values, attitudes, beliefs and ultimately their behaviour. They may have seen how other skilled-trades people have been hurt, not because they were incompetent, but because accidents happen and people become complacent. Once transformed, people understand it is not a matter of experience. Experienced people get hurt and killed as well as novices. Once safety has become personal, relevant and important people remember they want to go home safely and they start proactively looking after themselves, their mates and their families. We know they have transformed their thinking because they wear safety boots, not flip-flops, when mowing the lawn at home because they choose safety. Of course, if someone is seriously injured it transforms their values, attitudes and beliefs. By then, it is too late for prevention. Our job is to cause the transformation before it is too late.
Similarly, when people first confront cyber security, their thinking is un-transformed. Yes, cyber breaches and identity theft, phishing scams and ransomware happen, but they happen to others. Cyber security is not yet personal, relevant nor important to them. They view security policies and procedures, along with passwords, as a pain and an inconvenience. “I have been using a computer for 10 years. Don’t you think I know what I am doing?” Professionals and managers trying to impose security policies and procedures on them are thought of as meddlesome, micro-managers, who are trying to tell them how to do their jobs – sound familiar?
Once transformed, however, our thinking about cyber security differently. Once transformed, people have internalised the need for cyber security to the point where they choose it because it is now part of who they are. Once transformed, cyber security, constant vigilance and high-performance are fundamental parts of their values, attitudes and beliefs. They know cybercrimes happen, not because victims are incompetent, but because cybercrimes happen and people become complacent. One transformed, people understand it is not about experience or time on the job. Once cyber security becomes personal, relevant and important people think and behave differently. They are aware they want to protect their children, their families and friends, their co-workers and the reputations of their companies. We know they have transformed their thinking because they are safe-cyber at home because they choose it. Of course, if someone is scammed it transforms their values, attitudes and beliefs. By then, it is too late for prevention. Our job is to cause the transformation before it is too late.
James Carlopio BA MA PhD Director and co-founder of Cultural Cyber Security www.culturalcybersecurity.com (+61) 0 488 028 054