The cybersecurity industry needs an overhaul. Cybersecurity itself is often avoided and misunderstood, because, to put it frankly, we pretend that cybersecurity is a technological problem instead of a people problem. We need to see and understand people in order to motivate them towards a more secure future. We need to understand how to change behaviors, not just implement new technology.
As social creatures, our most basic emotional needs are to be heard, to belong, and to matter. Even extreme behaviors, like joining a violent gang or disfiguring the body are done to be heard, belong, and matter. These needs are fundamentally important to us and have profound power to drive our decision-making. However, instead of directing our focus on what drives end user (or executive, cybersecurity engineer, etc.) decision-making, much of cybersecurity thrives off fear: fear of attack, fear of failure, or even fear of inadequacy. Fear doesn’t improve behavior (statistically, it materially degrades decision-making). Rather, we need to take lessons from philosophy, behavioral psychology and even the gaming industry to learn how to convince people to make decisions in their own best cyber interest.
Smoking indoors wasn’t always taboo. When I began my career as an aerospace engineer in the 1980s, the time of day dictated how far you could see down our mile-long industrial facility. Mornings were clear; you could stand on one end and see to the other. By evening, smoke filled the room to the point where you couldn’t see the opposite wall 80 yards away. Smoking indoors has since become unheard of. In fact, smoking is not even socially normative. According to the CDC, only 14% of the US population smokes. Gallup reports that 45% of the population smoked in the 1950s – a 68% reduction. A marketing campaign drove sales up 300% for one brand in just one year and then smoking rates came down consistently for over 50 years. What made the difference? Marketing – specifically, marketing leveraging the lessons from philosophy and behavioral psychology. The cybersecurity industry could benefit greatly from Socrates, St. Cassian, and Nir Eyal, three thinkers who have looked deeply into what makes people tick. If over 90% of cybersecurity issues are related to human behavior, why are there virtually no cybersecurity programs teaching these time-tested methods?
In the 1950s, 60s, and 70s, advertising agencies appealed to our need to be heard, to belong, and to matter. It was attractive to smoke (Marlboro Man anyone?). Women hungry to be heard and for society to change were told that cigarettes were part of being free and liberated, as advertisers capitalized on the sexual revolution. Then, as the dangers of smoking became more evident, advertising shifted. Now smoking is unattractive; if you truly want to be happy and healthy, the message is: don’t smoke. Social behavior changes when people are inspired toward something, not threatened with it. As cyber professionals, we need to express cybersecurity, not in terms of fear, but in terms of true value and behaviors by addressing and connecting with people. The recent paper published by Karen Renaud and Norah Alkaldi provides keen insight into this.
All our theoretical knowledge about the importance of multi-factor authentication, use of unique and strong passwords, or VPNs goes out the window if we can’t get people to care. This is where philosophy comes in. Philosophy is defined as the love of wisdom. We need to be people wise to the inherently unethical industry of cybersecurity. We’ll unpack why it’s unethical in future articles, but realize that wisdom means both finding trusted cyber professionals (which we talked about in a previous article), knowing what drives human behaviors, and what our “human dimensions of change” practices ought to look like—a cyber philosophy of mental models if you will. One of the twelve First Principles of Cybersecurity (to be covered in a future article) is that cybersecurity requires comfort with ambiguity because cybersecurity is inherently about defining and mitigating risk, for which there is no mathematical certainty.
Once philosophy connects with psychology and advertising methods, cybersecurity can enter a new realm of interaction with an audience. Take gamification as an example. Games appeal to our desire to belong to something—they immediately place us within a defined context: the game. Using gamification in cybersecurity gives a place for people to be heard, belong, and matter within a non-threatening context. By appealing to our competitive natures, it communicates that the challenge at hand may be difficult, but still conquerable.
The cybersecurity industry needs an ethics overhaul, and thereby we believe that a real solution for our national cybersecurity under-preparedness is achievable. By changing the way that we see cybersecurity—focusing on true behavioral change through reasonable and prudent steps—we can build a more secure future. Future articles will define specific steps/tactics that IT, cybersecurity, and people & culture (HR) can partner with to make a real dent in cybersecurity risks. The lessons are out there…we just need true diversity of thought to see the invisible.
At the Carolina Cyber Center, we want to help equip you to defend your data. Don’t hesitate to contact us with your cybersecurity questions! Interested in becoming a cyber professional? Apply for a Carolina Cyber Center Academy cohort beginning this summer here and become a trained Cyber Analyst!