Human behaviours: Understanding decision making for a successful cyber strategy

Key takeaways

  • A post-COVID-19 world requires a new cyber awareness and influence strategy as organisations move towards an increasingly virtual workforce.
  • A 360 degree view of an individual’s perceptions and mindsets will be needed to address the ‘human side’ of cybersecurity, and allow for the design of tailored interventions for change.
  • A combination of traditional and behavioural approaches are critical to measuring cyber behaviours in a holistic manner.

Regardless of their sophistication, cybersecurity capabilities are ultimately made, or broken, by an organisation’s people. In order to truly protect your business, it’s necessary to understand what drives people’s decision making, and create and foster a culture that places risk-management at the forefront of its efforts. 

In a time where our insatiable thirst for information now extends far into the digital world, huge amounts of information are causing distraction. Consequently, people are more likely to click on links that they would normally avoid, creating significant opportunities for phishing scams.1  

The rise of remote working is also blurring the lines between work, home life and caring responsibilities. This has a notable, and understandable, impact on our levels of concentration and ability to make optimal decisions. Remote working has also changed the way we approach personal security: many people leave their computers unlocked at home, as well as using more non-enterprise devices and software for work, unwittingly creating vulnerabilities.

New world, new cyber awareness and influence strategy

Given much of the workforce is largely at home or working virtually during the COVID-19 pandemic, and may continue to be for some time, businesses will need to rethink the traditional approaches to cyber awareness campaigns. They may no longer be appropriate or effective. PwC’s Workforce Pulse Survey found that nearly 70 percent of CISOs and CIOs have increased security training as a result of COVID-19. But in contrast, only 23 percent said their firm provided a compelling case for why employees needed to have good data security habits.

Remote working is set to become the norm for many industries, with companies such as Twitter and Atlassian telling employees that they can work from home permanently if they choose.2 For many other businesses, a hybrid model, where a combination of work from home and offices/sites, will likely become a permanent set up.3 This will have implications for all aspects of the business, including cybersecurity. 

To prepare, organisations should:

  • Review their current cyber awareness, training and communication strategy to align it with business and technology strategy changes that address the long term requirements of a new hybrid workforce.
  • Communicate clearly how the cybersecurity function is supporting the change in approach given people’s day to day work life.
  • Reduce uncertainty by providing greater visibility on cybersecurity to the board and management using  business-focused cyber metrics and reporting frameworks.
  • Make sure employees know what behaviours are expected and what resources are available to support them. For example, expectations of front line staff will be different to back office staff, or onsite versus remote workers.

A 360 degree view of perceptions and mindsets

While setting expectations and communicating them to an increasingly diverse workforce is a crucial first step, it will only go so far in addressing the behaviours that lead to a breach. Typically, companies design cybersecurity strategies based on the assumption that people make informed decisions. However, behavioural economics has shown us that decision making is far more complex. 

When a cyber incident occurs, often an old system or human error is blamed. However, incidents can be caused by a number of factors, including poorly designed security processes, difficulty in seeking answers in relation to cybersecurity, staff making genuine mistakes due to being tired or overloaded; or users being unsure or unaware of the security behaviours they need to demonstrate and why.4 

In reality, a deeper understanding of the pattern of behaviours, structures, organisational factors and mental models is needed.5 This knowledge will allow the business to identify the critical behaviours to  focus on to increase the effectiveness of cyber awareness and influence strategies. 

cyber behaviours exhibit 1

There are three key areas organisations can focus on to foster these behaviours:

  1. Use research-based behavioural techniques: Behavioural surveys, scenario testing and situational judgement tests can help CISOs and executives understand the individual and environmental drivers of poor cyber behaviours, including low attention, limited cognitive bandwidth and inconsistent self-control. A security awareness and communications strategy that is designed around a better understanding of human behaviour can help reduce the risk of decisions or behaviours being made that place your organisation at risk of a breach. 
  2. Identify time-sensitive teachable moments: Organisations should explore ‘just in time’ learning techniques that leverage behavioural economics concepts and provide real-time feedback that reinforces the desired behaviour. For instance, when an employee sends sensitive data to an unauthorised location/personal mailbox, the training and awareness workflows create real time notifications, communicating the desired action that the person was supposed to take. 
  3. Use a combination of traditional and behavioural approaches to measure behavioural change: Understand the ‘why’ of decision making by analysing perception and mindset related metrics and the ‘what’ by understanding the metrics obtained from cybersecurity tools and technologies such as security metrics obtained from user device protection, phishing simulations, email security, and data loss prevention tools. There is a need to combine what most organisations already collect with perception metrics and other organisational metrics to develop a holistic view of cyber behaviour and culture.

A human-first approach to cyber 

There is no silver bullet to address human behaviour. It is important to understand the context and environment in which decisions are made before expecting behavioural change. Individuals do not need to become security experts to avoid most of the incidents that occur, however businesses as a whole must ensure they are able to identify what motivates people to make certain decisions. They can then design solutions that align with how employees actually behave, rather than expecting them to comply with even the most robust cybersecurity strategy. They’re only human after all.

Request a demonstration of PwC’s Cyber Culture Diagnostic.


No search results