The Psychology of Cybersecurity.
Cybersecurity is largely driven by psychology. What I mean by this, is that the threat environment is mostly comprised of human interactions and behaviors with a technological component behind it. It is a given that we need and benefit from digital technologies to do our jobs, earn our weekly paychecks and contribute to our employers and society at large. As digital technologies are ubiquitous and necessary, we must look at what causes threats in this digital environment, in order to prepare to mitigate them.
The cybersecurity threat environment can be broken down into internal and external threats. Internal threats are behaviors of our own employees. External threats come from malevolent actors in the wild. One must look at each of these threat environments and take active steps to mitigate them.
Internal threats are often the result of ignorance and/or carelessness and are as difficult, if not more difficult, to remedy than external threats. This is because of the inherent way in which our brains work and our natural human tendencies. Apart from insiders who have an ax to grind and who are motivated for either personal gain or other reasons, most people do not intentionally seek to cause harm to their employers. Harm is caused through apathy and neglect and a lack of processes to enhance corporate security. Even in organizations that have excellent processes and security awareness, the internal threats caused by momentary lapses can be significant.
Many of the threats that are manifesting themselves today can be prevented by sound IT hygiene and good corporate processes. Such processes include always patching systems as updates become available and not opening suspicious documents as described in most cybersecurity awareness training courses.
In terms of external threats and our responses to these, the muscle memory of these corporate and team coordinated responses is more difficult to implement, as they usually are not adequately practiced in simulations. Depending on the industry vertical, the running of cybersecurity drills and response simulations tends to be an annual affair or not at all. An annual exercise is probably inadequate preparation for a corporation to develop a well-honed response to active cybersecurity threats, such as a breach of a corporate network. This is because people tend to make assumptions about threats based on their previous experiences and/or training and then tend to forget the lessons learned if they are not practicing how to prevent, detect and react to threats.
A recent article in Dark Reading explains this phenomenon (see https://www.darkreading.com/vulnerabilities-threats/what-you-need-to-know-about-the-psychology-behind-cyber-resilience)
More frequent and realistic drills are required to develop the thinking required to mitigate these type of threats, as the Dark Reading article states:
“The goal is not to teach people to respond to a specific crisis, but rather to develop the necessary decision-making skills to respond to any crisis. Organizations will never become truly cyber resilient unless they make regular cyber exercises across the workforce a priority.”
So, the key to developing cyber resilience to internal threats caused by apathy, carelessness, and the rare case where an employee seeks out to cause chaos, is to develop cybersecurity awareness training and good IT hygiene practices. The key to developing cyber resilience to active external threats is to run a set of drills every couple of months (quarterly would be the ideal minimum). In these drills, the Security Officer along with the CISO/CIO would coordinate a set of refresher training sessions and response drills whereby cybersecurity training and realistic exercises are scheduled, and debriefings and lessons learned are collected.
When organizations cease to see cybersecurity as a cost, but rather look at cybersecurity as an investment, then they will develop an enhanced cybersecurity posture and develop true corporate resilience.
B. Gibbs