In a speech in September of last year, Ciaran Martin, chief executive officer of the UK's National Cyber Security Centre, alluded to one of the most prominent fallacies that's touted time and again when it comes to cyber-security. “Let's stop talking nonsense about humans being the weakest link in cyber-security,” said Martin in his talk to the CBI, the Confederation of British Industry. “It's a bit like saying the weakest link in a sports team is all the players.”
Martin's point is sound: people are always going to be victims in cyber-crime, but stating that people are vulnerable to hackers and scammers would be to state the obvious. While it's true that as many as three-quarters of all cyber-attacks involve a human component, that needn't suggest that people are the problem. “I think that is the most important shift in thinking over the past year or so,” stated Mr Martin, “the wider recognition of the importance of the user.” As he went on to stress, it's the academic world that we need to be paying attention to.
Overlooking the science
The trouble with the way cyber-security is taught in workplaces across the country is that it's usually anything but academic.
Many businesses hand their new hires balky training manuals with the unreasonable expectation that, simply because staff are informed, they will change their behaviour. Others try to get by with one-off, yearly training programmes. These have little impact due to the required concentration for the training to be consumed, and cyber-security hygiene inevitably deteriorates over the course of the year.
Organisations often wonder why their training programmes haven't had any real impact on their staff's cyber-security hygiene. The answer is quite a simple one: training that doesn't take into account the way humans learn and consume knowledge is never
going to work.
Theories of learning
Educational theory would be a good place to begin. Much research has been done into how we assimilate new information and what constitutes effective learning. Ciaran Martin is himself a fan of a study focusing on human factors by Shari Pfleeger, Angela Sasse and Adrian Furnham.
Take, for example, Malcolm Knowles' theory of andragogy, “the art and science of helping adults learn”, formulated on five core assumptions about how adults learn:
1. Adults learn independently
2. They have experience- a useful springboard for learning
3. They value learning that integrates with everyday life
4. They are more interested in problem-solving approaches than in subject centred ones
5. They are more motivated by intrinsic
Looking over the central principles of Knowles' theory, it's hard to identify anything that can be found in most ‘modern' cyber-security training programmes: training is seldom undisruptive to work. Very few programmes offer even the semblance of problem solving, and fewer still take into account the experiences and prior knowledge of the adults who are being trained. Knowles is by no means the only educationalist who has been flatly ignored in the cyber-security training space. It's widely recognised, for example, that allowing individuals to control their rate of learning helps them to learn more effectively, that learning happens best when the instruction is related to real life experiences (Gestalt Theory), and that people learn more deeply from words and pictures than from words alone (the “multimedia principle”). The list could go on.
Revolutionising business education
What we know about how people learn, and how businesses go about training staff couldn't be more polarised. But there's no reason why this should continue be the case. Cyber-security training should be regular- it's well documented within educational psychology that people digest more information in smaller, regular bites. Training should recognise that different people learn in different ways, and should embrace modern technology that enables it to be done at a time and place convenient for the individual.
Successful businesses are always taking a modern approach with their technology to stay ahead of their competitors and to avoid costly data breaches. In a cyber-security landscape increasingly dominated by human-to- human attack vectors, it only makes sense that businesses also begin take a modern approach with their staff.
Contributed by Oz Alashe, CEO of cyber-security training platform, CybSafe
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.