In the battle against cyber threats, the human factor is often the weakest link. This article explores how leaders can strengthen their organization’s human firewall using principles of behavioral influence.
In the realm of cybersecurity, the human factor is often the weakest link. The FBI reported that between October 2013 and July 2019, cybercriminals scammed $26 billion using the “Business Email Compromise” scam. This scam, which relies on social engineering techniques, tricks employees into revealing their credentials and making unauthorized transfers of funds. In 2017, MacEwan University in Canada fell victim to this type of scam, losing approximately $11.8 million.
These incidents highlight the critical role that individual behavior plays in cybersecurity. In fact, human psychology is the ultimate target in 99% of breaches. As such, it is crucial for business leaders to focus on reducing this human-based liability. This involves creating a security-aware culture where all members of the organization are committed to maintaining security, beyond just completing mandatory security training.
Influencing behavior is a complex task, but research by Robert Cialdini provides a useful framework. Cialdini identified six principles of influence that can be harnessed to encourage compliance with requests or desired behaviors. These principles are consistency, social proof, reciprocity, scarcity, liking, and authority.
- Consistency: People tend to act in ways that are consistent with their past behavior. Asking employees to sign a security policy can foster a commitment to adhere to the organization’s security standards.
- Social Proof: People are influenced by the opinions and behaviors of others. Senior leaders can lead by example, promoting best-practice behavior and reducing uncertainty about what constitutes appropriate behavior.
- Reciprocity: People feel obliged to return a favor when something is given to them. Leaders can use this principle to strengthen a security-aware culture, for example, by providing employees with secure and encrypted flash drives.
- Scarcity: People want what is rare or seemingly scarce. Leaders can leverage this principle by promoting the organization’s rare and exemplary security accreditations, which could be jeopardized by a security breach.
- Liking: People are influenced by those who are like them or those they find likable. Leaders can build trust with their workforce by acting with humility and empathy, making them more approachable and identifiable.
- Authority: People are more likely to comply with requests when these requests are issued by someone in an authority role. Leaders need to be seen as a trusted source in addition to being the boss to effectively enforce their instructions and mandates.
In conclusion, the human factor is a critical element in information security. By understanding and leveraging the principles of influence, leaders can foster a security-aware culture that reduces the risk of breaches. This involves not only implementing robust security measures but also influencing the mindsets and behaviors of all members of the organization. As the cybersecurity landscape continues to evolve, staying one step ahead of the hackers will require a comprehensive approach that addresses both the technological and human aspects of security.