PwC Digital Trust Insights survey suggests large companies are more concerned about insider threats than small businesses. However only 34% of organisations globally have an employee security awareness training program. People remain a critical aspect that can either make or break cyber security capabilities - regardless of the sophistication of an organisations’ security technologies.
In order to address the human element of cyber security it is crucial to focus on aspects of organisational culture and critical few behaviours. A focus on culture allows organisations to build awareness and a cyber conscious workforce that drifts away from traditional training and falls into habits of cyber fatigue e.g. phishing campaigns and basic online awareness training.
“Our focus on culture brings together cyber security, risk management, behavioural, and culture and change specialists, to help create and deliver unique and differentiating experiences to better manage the human element of cyber security and achieve the desired business objectives and performance.”
A Behavioral Approach to Cyber Security
Companies design cyber security frameworks and work environments around an assumption that people weigh up all available information about processes, policies, procedures, and training before making a decision. However, decision making is far more complex, and traditional training methods, education and incentives are often ineffective.
It is easy to think cyber incidents are caused by a poor system or human error. Our approach digs deeper than this to understand how decisions and actions are influenced by the conditions in which people work - including surrounding environment and culture. This allows us to identify a few critical behaviours organisations can focus on to influence management of cyber security risk.
We use behavioural economics to understand and modify the environment and resulting behaviours, including low attention, cognitive bandwidth or self-control. By designing our security frameworks and work environments with a better understanding of human behaviour, we can reduce the risk of decisions or behaviours that places your cyber security at risk.
Our approach brings together the skills of cyber, risk management, behaviour, culture and change specialists. Our approach hinges on the following:
Identifying 'universal’ cultural traits which span all parts of the business environment and frame the context for people’s behaviour
Determining the “critical few” behaviours (e.g. tone from the top, role modelling) and environmental enablers (e.g. Risk Management policy, Code of Conduct, cyber security policy) which drive the biggest impact towards the desired risk culture objectives and
Providing enough information to prioritise and design the right interventions / structural enablers to drive more congruent staff experiences by actively nudging people’s behaviour in the right direction.
We apply the approach to understand and measure the “critical few” behaviours and cultural context by performing a cyber behaviour diagnostic and focus group workshops based on a statistically valid proprietary framework.
“Every employee does not need to be a Cyber Security Expert. It’s about identifying what motivates humans to make certain decisions and designing solutions that align with how people actually behave”
Our approach unlocks value by:
Personalisation of cyber related risks
Identification of a few critical behaviors and cultural context allows 'nudging' of behaviour in the right direction and prioritisation of interventions/initiatives that are relevant and aligned with people's roles (making cyber related risks personal).
Our research suggests that changing critical few behaviours is most likely to have the largest impact on your business performance and address the inefficiencies that stand between you and the best outcomes for your organisation and stakeholders.
Establish relationship between cultural and behavioural drivers, and tangible business outcomes
Our approaches are designed to increase awareness and individual's confidence in applying security policies and procedures. Linking internal organisational culture to relatable cyber risk examples through tailored training modules can lead to a reduction in business risk and operational costs.
Identification and measurement of behavioural KPIs
Our approach is data driven and allows you to create a cyber related behavioural baseline and KPIs. Undertaking periodic measurements to track the progress and breadth of behaviour adoption can help assess incidence and prevalence of the critical few behaviours.
Cyber Behaviour and Culture Diagnostic
How we can help bring change
Cyber virtual reality experience
PwC’s cyber crisis virtual reality experience immerses users in a fully digital environment through a headset with 360 degree video. This experience can help trigger a conversation to assess your organisation’s cyber incident response and crisis management.
Game of Threats
Game of Threats™ is a strategic gamification product for company executives such as the Chief Risk Officer, Chief Executive Officer, Chief Technology Officer, Executive Board members and non-cyber workforce. The interactive card-based digital game helps simulate a cyber breach from the perspectives of a threat actor and a company. Participants are challenged to make quick, high-impact decisions in an effort to simulate the pressure and intensity of decision-making in the midst of a cyber incident and assess their readiness to understand, respond to and defend against cyber threats.
Working collaboratively across PwC’s cultural community we are able to create and unique workshops and intervention strategies tailored to your organisation’s needs.
Using a wide set of skills and backgrounds we can ensure that no two deliverables are alike and make sure each strategy focuses on your organisation’s ability to better manage the human element of cyber security.
Traditional training methods (phishing campaigns, yearly online training, email bulletins) often fail to address human decision making pitfalls. The need for human centric training is growing.
PwC, in partnership with key suppliers and industry leaders, can help organisations to deliver tailored training and awareness interventions. These trainings can include Cyber Series premiere screenings, Capture the Flag training (general or role specific e.g. developers), cyber incident response or crisis simulations, and Security Operations Center training. Developing a comprehensive human centric training module would be tailored and designed based on your cultural situation, maturity, and cyber security objectives.
Partner, Cyber Advisory, PwC Australia
Tel: +61 3 8603 0268
Director, Melbourne, PwC Australia
Tel: +61 407 367 561
Senior Manager, Cyber Security, PwC Australia
Tel: +61 2 8266 2839
Partner, People and Organisation, PwC Australia
Tel: +61 3 8603 5797
Director, Assurance, PwC Australia
Tel: +61 7 3257 5872
Director, Economics and Policy (Behavioural Economics), PwC Australia
Tel: +61 2 8266 2156
Senior Manager, Economics and Policy (Behavioural Economics), PwC Australia
Tel: +61 (2) 8266 2070