Jonathan Craven: How to Use Psychology to Reinforce Cybersecurity

iRhythm Technologies Privacy and Compliance Lead Jonathan Craven discusses how psychology can be a useful tool to promote cyber-secure behavior in the workplace

Promoting cyber-secure behavior in the workplace can feel like an uphill struggle for even the most seasoned cybersecurity professional.

Point two of Lenny Zeltzer’s ‘How to Suck at Information Security’ cheat sheet states: “Assume the users will read the security policy because you've asked them to.”

This likely resonates with any cybersecurity executive who has been responsible for driving security culture. The question becomes, how should we best engage our colleagues on the topic of cybersecurity? And how can we make behavioral change stick?

In this episode of the Business of InfoSec Podcast, iRhythm Technologies Privacy and Compliance Lead Jonathan Craven argues that understanding the psychology of your employees is essential to promoting cyber-secure behavior.

“I sympathize with a lot of my colleagues in cybersecurity because sometimes it almost feels like the staff, your colleagues, are working against you and you don't know why,” says Craven. “I think the fundamental question is, why is that the case?”

People as a Pillar of Cybersecurity

There are plenty of commercially available tools to promote cyber-awareness amongst staff. However, they still require people to pay attention to them.

“I think historically lots of organizations have always looked for a bit of a silver bullet in terms of meeting almost any kind of regulatory compliance need. The problem [is that] people tend to focus on tools and processes as solutions rather than saying, ‘how do we make these tools and processes work?’, Craven says.

He continues: “And the answer to that question in most organizations is going to be that we have to have people who are going to use them, operate them and employ them properly.”

For Craven, this means focusing on the root causes of cyber-insecure behavior to drive organizational resilience to common people-focused attack vectors.  

“In terms of data protection and cybersecurity, I think what's key here is why do people do stuff that we don't want them to do?” says Craven.  “And how do we make them change those behaviors?” 

Reinforcing Cyber-Secure Behavior

For cyber training to stick, Craven believes that the best approach is ‘little and often, rather than focusing on a lengthy annual training or refresher.

There's been a lot of research over recent years that one-off or very irregular heavy-duty [trainings] only have very limited success,” he says.

He continues: “Your annual information security training refresher is not gonna work that well, it's not gonna stick. And it's particularly not gonna stick if it's the same PowerPoint with the same quiz every 12 months.”

Commercially available tools may complement this approach, Craven thinks. Particularly when many staff is primarily working from home.

“I have seen a number of vendors over the last year or two, who have started to produce cybersecurity and compliance software tools, which operate as an overlay on your staffs’ desktops,” Craven says.

“I go back to a very simple psychological principle of positive reinforcement,” he continues. “We [should be] slowly conditioning staff to behave in a more compliant way, and to develop a much better awareness and understanding of the reasons why.”

The Psychology of Social Engineering

Most cyberattacks in the USA now target humans as a vulnerability at some point in the attack chain, often in the form of social engineering.

Unfortunately, misconceptions about how hackers commonly conduct cyberattacks sometimes cause complacency in the workplace.

“Probably one of the last big myths about cybersecurity and hacking is that there is a guy in a hoodie hunched over a laptop with lots of green code squiggling about all over the place – and that’s a hacker,” Craven quips.

He continues: “When in fact, what a lot of these people doing now is scraping social media profiles. They're looking for information about people, which they are freely volunteering to the wider world.”

To combat this, Craven thinks that it’s important to speak candidly with staff about cyber-risk, and how their behavior can affect cybersecurity both professionally and in their personal life.

“It's never been more important to have those kinds of very frank conversations with staff about what they're doing [online],” Craven concludes. “But also making sure that we can put the right tools in place to support them, to make sure that they don't do things by wrong by accident.”

You can hear more from the Business of InfoSec Podcast, featuring interviews with leading information security specialists here.