A discussion with Professor Phil Morgan, Director of the Human Factors Excellence Research Group (HuFEx) at Cardiff University and the Technical Lead in Cyberpsychology and Human Factors and the Accelerator in Human-Centric Cyber Security at Airbus
Nick Wilding – Chief Innovation Officer at Cyber Risk Aware
Last week I spoke with Professor Phil Morgan about how security awareness and education and human cyber risk management is likely to evolve in the next 2-3 years. It was a fascinating discussion. What’s particularly interesting about Phil is that he’s not only a noted human factors academic, but that he’s also applying and refining the research that he and his team continue to develop as the leader of Human Centric Cyber Security at Airbus. He really is applying science in the real world.
We chatted about the role that sociotechnical research must play in helping inform the approach and techniques we use and our approach, what really are the key influences on why we behave in the ways we do and the importance of creating tailored interventions to reduce human vulnerabilities to cyber-attack. Here are the highlights.
Research around the world continues to highlight that people are the ‘causal’ factor behind 95% of successful cyber breaches. We’ve known this for many years and this number has not changed. If our objective really is to positively impact security behaviours, we need to get better at understanding and applying the science – the evidence base that can help increase the effectiveness of all your efforts. As Phil observed:
“We need human factors and cognitive psychology research to first better understand what human cyber risky behaviours are, to establish why they occur in the first place (and sometimes again and again) and only then can we start to develop effective interventions to support people to exhibit more cyber strengths and far fewer vulnerabilities.”
It’s good to know that everyone is different. It’s what makes the world go round! We all behave in slightly different ways when faced with the same challenge or problem. This doesn’t make our work any easier in developing effective security training and other interventions. We behave differently for different reasons – for example, demographics, life experiences, culture, education, personality and belief systems. But research that Phil and his team have carried out (as well as other research) has identified other determinants of risky security behaviours. Factors such as:
The research has also shown that we need to be careful not to let our guard down. When we experience something time and time again there is a real danger that our response becomes more automatic. As discussions during all our recent ‘People Matter’ webinars have highlighted…we must see our people as part of the solution and actively listen and collaborate with them to develop their confidence to do the right thing at the right time and to assist in developing appropriate interventions for different threats.
Typically, a ‘one-size-fits-all approach to security awareness training is not going to work! Phil highlighted that the best approach is to measure – at the individual level (whilst of course ensuring confidentiality and anonymity) – human cyber behaviours, vulnerabilities and strengths such that interventions can be developed and tailored to best-fit individuals and groups of people who are similar in many ways. At Cyber Risk Aware we’re dedicated to this approach in communicating highly target, relevant, positive and actionable guidance to employees at the time they might display risky behaviours. It’s all about training in the right context at the right time.
I asked Phil whether this discussion would be irrelevant in 10 years’ time because we would all be cyber-savvy by then. Quite the opposite he thought. Cyber-criminals, like us, will evolve and adapt and become ever more intelligent in their attacks. He believes it will be through continued research and the effective application of this new science that will enable us to stay ahead of the criminals. People have vulnerabilities or cognitive biases that can be exploited but we are also highly skilled in problem-solving and adapting to our circumstances.
The message is clear – we need to remain vigilant; we need to apply some science to evolve and adapt our approaches to security education and we have to develop organisational cultures that listen and collaborate with our employees…they hold the keys to unlocking many of the security training challenges we face.