Why cybersecurity education is good for business

In this age of digital information, appreciating how people interact and behave with technology is highly valuable in developing good data security cultures.

This falls within a field of research called cyberpsychology, the study of the intersection between technology and human behaviour.

Cyberpsychology covers everything from how people conduct themselves online and use social media, to internet addiction and the impact of technology on mental health.

So, what can this field tell us about developing good cybersecurity behaviours and data safe cultures?

A recent article published in the journal Cyberpsychology explored the links between security compliance and participation, and environmental working conditions such as time pressure, autonomy and threat appraisal.

The study found that employee knowledge about cybersecurity had a positive effect on compliance and participation in security measures.

To avoid falling victim to a phishing attack, for example, knowledge empowered employees to adhere to security protocols and engage in good security practices.

Similarly, if people perceived that a cyber-attack could happen to them and that the consequences would be severe, that knowledge translated into better security behaviours.

Decision-making autonomy also had a positive impact – employees with a level of independence were more likely to actively engage with ideas to enhance cybersecurity.

Where employees came unstuck was when they were under the pump.

The researchers found that the aforementioned positive effect of security knowledge on compliance was diminished by time pressure – time poor employees demonstrated poor compliance.

They observed that turning knowledge into good behaviours can be hindered by time pressure but be facilitated by giving employees autonomy, and reflecting on working conditions is important to develop more effective security training and good workplace cultures.

The takeaway is that a working environment can have a significant impact on cyber resilience, and environmental factors are important considerations when designing training and improving a cybersecurity culture.

AROSE’s Dr Newton Campbell put it best in a discussion on cyber resilience at the recent Space and Earth Conference in Perth – security education is good for business, not just for risk mitigation.

Ensuring a flow of knowledge about cybersecurity threats and the potential consequences equips employees with a greater understanding of the issues. If time or other pressures are creating conditions for low compliance, consider greater automation or other measures to mitigate risks.

Education starts at the top, and it is important that executives and managers set the example.

Data governance is one of the best defences against data and privacy breaches that an organisation can have, a view backed by cybersecurity experts.

Data Sentinel CEO Mark Rowan, in discussing the relationship between data governance and cyber security on his company’s website, said: “Once you know how sensitive a data collection is, you can apply the proper information security rules to keep it safe. In this approach, good data governance is an important part of a company’s overall cybersecurity strategy.”

There is also a role for educating up, by understanding the blockers that might hinder compliance or participation from the workforce. This continuous learning is vital in increasing or maintaining resilience.

Malicious attacks are the cause of 70% of notifiable data breaches, largely through ransomware, compromised or stolen credentials, or phishing emails that expose company networks.

But few attacks start with forcible entry into networks or system weaknesses being aggressively exploited, because cybercriminals are largely opportunists.

People are the consistent factor – about 82% of all cyberattacks involve a human element.

Fostering a culture of cybersecurity awareness, by helping employees understand the importance of their role in maintaining security, can be highly valuable in developing resilience against those ever-present threats.

Business leaders should support employees in managing security, monitor the effectiveness of strategies and be willing to adjust approaches based on the evolving needs and challenges of the workplace.

A good organisational cybersecurity culture is the foundation for effective protection of sensitive information, personal data and employee and customer privacy.