At present, legal requirements around cyber security derive from the – Data Protection Act (DPA), but this will change on 25 May 2018 when the General Data Protection Regulation (GDPR), comes into force. It will impact across the organisation in terms of how it stores and uses information.
Cyber security can often involve installing monitoring equipment. It is best practice to undertake an impact assessment especially given some types of surveillance will not only upset employees, but can be illegal.
MetrixCloud has devised its Cyber Security Behavioural Model to shed light on the interaction between malware/hacking and victims. We see this as a behavioural layer that impacts on cyber security vulnerabilities – People, IT and Processes/Physical.
Much of how we behave is unconscious. It is rooted in our biology, the way we think and our psychology. Our decisions are not always well thought out – we take risks. These risks and unconscious biases can be exploited via social engineering. Our behaviours can also result in more conscious acts such as insider threats (blackmail, fraud or cyber vandalism).
(c) MetrixCloud Ltd
Our Behavioural Consultancy looks at behaviours from three linked perspectives:
Biological: Automatic behaviours can be generated by our fight, flight, freeze and fawn responses. Reward seeking behaviour can lead to risk taking and poor decisions such as falling for baiting.
Cognitive: Memory & information processing can be flawed and biased. We have stereotyped views of what we think a hacker looks like – this cognitive bias is termed representative heuristic.
Psychological: Our experiences develop into scripts that determine how we behave at an individual and organisational level. These can be predictable and so exploitable.
By considering these dimensions within our Cyber-security Behavioural Model, we are able to highlight vulnerabilities by testing people/process/physical elements and advise business how to improve their structure and processes .
What we want to happen and what actually happens are not always the same thing. Cultural dimensions and informal processes can become ‘the way we do things around here’. These sub-optimal practices can be exploited by cyber-criminals. We need to rethink how we design the way we want the organisation to function. Simply providing instructions does not always work; we have to get to the behavioural reason why people aren’t following procedures.
Cyber Security as Default
It is important that process redesign recognises that much like water, people seek the easiest path. We simply don’t want to waste energy thinking about something. So, if we want employees to do the safest thing, then we should attempt to make it the default action.
Behavioural Learning and Coaching:
Coaching combined with learning accelerates the embedding of behavioural concepts. Theory and practice are considered together. A deeper understanding generated practical solutions.
Small Group Work (max 6 people):
In addition to individual coaching, we can work with small groups to enable people from across the organisation to come together. These interactive sessions accelerate behavioural understanding by allowing delegates to learn by doing and share with their peers.
We can provide a learning solution that meets your ongoing cyber security needs.
We can undertake an analysis to establish business priorities and the skills & knowledge need. We can then match this to our existing online and workshop programmes. And, if there is a specific requirement we can develop a tailored solution for your organisation.