PwC Digital Trust Insights survey suggests large companies are more concerned about insider threats than small businesses. However only 34% of organisations globally have an employee security awareness training program. People remain a critical aspect that can either make or break cybersecurity capabilities - regardless of the sophistication of an organisations’ security technologies.
In order to address the human element of cybersecurity it is crucial to focus on aspects of organisational culture and critical few behaviours. A focus on culture allows organisations to build awareness and a cyber conscious workforce that drifts away from traditional training and falls into habits of cyber fatigue e.g. phishing campaigns and basic online awareness training.
“Our focus on culture brings together cybersecurity, risk management, behavioural, and culture and change specialists, to help create and deliver unique and differentiating experiences to better manage the human element of cybersecurity and achieve the desired business objectives and performance.”
A behavioural approach to cybersecurity
Companies design cybersecurity frameworks and work environments around an assumption that people weigh up all available information about processes, policies, procedures, and training before making a decision. However, decision making is far more complex, and traditional training methods, education and incentives are often ineffective.
It is easy to think cyber incidents are caused by a poor system or human error. Our approach digs deeper than this to understand how decisions and actions are influenced by the conditions in which people work - including surrounding environment and culture. This allows us to identify a few critical behaviours organisations can focus on to influence management of cybersecurity risk.
We use behavioural economics to understand and modify the environment and resulting behaviours, including low attention, cognitive bandwidth or self-control. By designing our security frameworks and work environments with a better understanding of human behaviour, we can reduce the risk of decisions or behaviours that places your cybersecurity at risk.
Our approach brings together the skills of cyber, risk management, behaviour, culture and change specialists. Our approach hinges on the following:
Identifying 'universal’ cultural traits which span all parts of the business environment and frame the context for people’s behaviour
Determining the “critical few” behaviours (e.g. tone from the top, role modelling) and environmental enablers (e.g. Risk Management policy, Code of Conduct, cybersecurity policy) which drive the biggest impact towards the desired risk culture objectives and
Providing enough information to prioritise and design the right interventions / structural enablers to drive more congruent staff experiences by actively nudging people’s behaviour in the right direction.
We apply the approach to understand and measure the “critical few” behaviours and cultural context by performing a cyber behaviour diagnostic and focus group workshops based on a statistically valid proprietary framework.
“Every employee does not need to be a Cybersecurity Expert. It’s about identifying what motivates humans to make certain decisions and designing solutions that align with how people actually behave”
Our approach unlocks value by:
Personalisation of cyber related risks
Identification of a few critical behaviors and cultural context allows 'nudging' of behaviour in the right direction and prioritisation of interventions/initiatives that are relevant and aligned with people's roles (making cyber related risks personal).
Our research suggests that changing critical few behaviours is most likely to have the largest impact on your business performance and address the inefficiencies that stand between you and the best outcomes for your organisation and stakeholders.
Establish relationship between cultural and behavioural drivers, and tangible business outcomes
Our approaches are designed to increase awareness and individual's confidence in applying security policies and procedures. Linking internal organisational culture to relatable cyber risk examples through tailored training modules can lead to a reduction in business risk and operational costs.
Identification and measurement of behavioural KPIs
Our approach is data driven and allows you to create a cyber related behavioural baseline and KPIs. Undertaking periodic measurements to track the progress and breadth of behaviour adoption can help assess incidence and prevalence of the critical few behaviours.
Cyber behaviour and culture diagnostic
How we can help bring change
Cyber virtual reality experience
PwC’s cyber crisis virtual reality experience immerses users in a fully digital environment through a headset with 360 degree video. This experience can help trigger a conversation to assess your organisation’s cyber incident response and crisis management.
Game of Threats
Game of Threats™ is a strategic gamification product for company executives such as the Chief Risk Officer, Chief Executive Officer, Chief Technology Officer, Executive Board members and non-cyber workforce. The interactive card-based digital game helps simulate a cyber breach from the perspectives of a threat actor and a company. Participants are challenged to make quick, high-impact decisions in an effort to simulate the pressure and intensity of decision-making in the midst of a cyber incident and assess their readiness to understand, respond to and defend against cyber threats.
Working collaboratively across PwC’s cultural community we are able to create and unique workshops and intervention strategies tailored to your organisation’s needs.
Using a wide set of skills and backgrounds we can ensure that no two deliverables are alike and make sure each strategy focuses on your organisation’s ability to better manage the human element of cybersecurity.
Traditional training methods (phishing campaigns, yearly online training, email bulletins) often fail to address human decision making pitfalls. The need for human centric training is growing.
PwC, in partnership with key suppliers and industry leaders, can help organisations to deliver tailored training and awareness interventions. These trainings can include Cyber Series premiere screenings, Capture the Flag training (general or role specific e.g. developers), cyber incident response or crisis simulations, and Security Operations Center training. Developing a comprehensive human centric training module would be tailored and designed based on your cultural situation, maturity, and cybersecurity objectives.
Partner, Cybersecurity & Digital Trust, PwC Australia
Tel: +61 490 093 981
Director, Cyber Security, PwC Australia
Tel: +61 2 8266 2839
Partner, People and Organisation, PwC Australia
Tel: +61 3 8603 5797
Partner, Sydney, PwC Australia
Tel: +61 400 215 757