My name is Dr. Esther Solomon Edun, and I’m a Cyber Security Awareness & Education Manager with The Workshop.
As a cyber security professional with a particular interest in human factors, I’m deeply immersed in the key role people play in upholding cyber security and I’m always looking for ways to engage and share insights with the broader community. Earlier this summer, I was delighted to be invited to London’s WAN Summit, where I hosted “Integrating Human Factors in Cyber Security Strategy, Design & Delivery,” a roundtable discussion.
The WAN Summit is a series of events, run globally, bringing together top corporate WAN (Wide-Area Network) strategists and service providers to discuss the latest trends and best practices. My roundtable gave participants a chance to share their key strategies, perspectives and pain points around cyber security awareness and training within their organisations, and to brainstorm fresh solutions. Below, I’ll give a quick glimpse into some of our most exciting takeaways.
Six people joined my roundtable discussion, including a network architect from a luxury goods brand, a vulnerability manager from a software development company, a client success manager in an IT services company, a security and infrastructure architect from a staffing solutions company, a site reliability engineer in a software development company and a principal network engineer in information technology and services industry. It was fantastic to be able to facilitate a discussion with such an interesting collection of professionals, drawing out – and sometimes challenging – preconceived notions about what really constitutes best practice in organisational cyber security.
Considering the human side in organisational cyber security
Our central theme for this discussion revolved around methods for improving cyber security awareness and behaviour – and how this can impact company strategy.
Although we heard several viewpoints, two general perspectives emerged: Some believed that strict measures should be used to enforce cyber security, including instituting consequences for non-compliance. Others, however, argued for a softer, more empathetic approach, with a focus on demonstrating concern for the well-being of users. As we dived deeper, considering how empathy could be woven into cyber security awareness programs, our group determined that several positive outcomes could be expected from such an approach, including:
- Increased user engagement: By taking time to understand and address users' concerns, fears and motivations, organisations can design tailored awareness initiatives that resonate with their audiences, thereby increasing user engagement and encouraging active participation in cyber security practices.
- Improved risk perception: By using real-life scenarios and emphasising the impact of cyber security incidents on people's daily lives, users are better able to grasp the importance of protecting their personal and professional information. And while traditional cyber security awareness programs rely on fear-based tactics and focus heavily on negative outcomes, an empathetic approach instead fosters positive behavioural change by demonstrating how taking action contributes to the well-being of individuals and their organisations.
- Enhanced collaboration and reporting: Empathy also fosters a supportive environment, where individuals feel comfortable reporting potential security incidents, such as phishing attempts or suspicious activities. By establishing trust and understanding, cyber security awareness programs can encourage open communication channels and create a culture of collaboration, better enabling early detection and response to threats.
- Reduced insider threats: When individuals know their organisation cares about their well-being, they feel more engaged and connected with the broader purpose and shared aims. Empathy-driven cyber security awareness programs can help mitigate insider threats by fostering a sense of shared responsibility and trust among employees.
My key takeaways and “a-ha” moments from the summit came around the realisation that cyber security awareness can and should be woven into overall organisational goals. It’s not the territory of a single team, but rather of multiple teams across departments, and, ultimately, every individual employee. A holistic and empathetic approach to cyber security, including tailored communications, positive reinforcement and recognition, is, in my opinion, the standout approach for achieving real and long-lasting results.
My “Integrating Human Factors in Cyber Security” roundtable was fascinating and fruitful, leaving me and the participants with plenty of food for thought! It’s clear that by adopting empathetic approaches, tailored communication and plenty of positive reinforcement, organisations will be better positioned to create connected, collaborative and safe cultures. In short, rather than punishing users or creating fear-based environments, corporate results can be better achieved by prioritising the human factor.
I’m in no doubt that The Workshop will continue integrating the results of this discussion, exploring and implementing the lessons learned and pushing towards the future of cyber security, with “privacy as a priority” as one of our core values.