The Critical Need for a Cybersecurity-Safe Culture

A single phishing email can still put an entire business at risk which leads to the question if current employee training programs are actually that effective or are cybercriminal getting more sophisticated with the cyber-attacks. 

Gartner's 2022 cybersecurity trends highlight a shift from traditional security awareness training towards holistic behaviour and culture change programs [1]. This suggests that existing efforts to educate employees about cybersecurity threats may be insufficient, especially when considering the key statistics related to the human factor in cybersecurity: 

• 82% of breaches involve a human element 

• $3.33M average cost of data breach from human error (IBM) 

• 300% increase in attacks since COVID-19 (FBI IC3) 

These numbers underscore the urgent need to look at the employee awareness and defence mechanisms to improve overall cybersecurity resilience.

Understanding Human Risks in Cybersecurity 

Bureau Veritas has identified 15 human risk topics related to behaviour, including password hygiene, social engineering awareness, and incident reporting [2]. 

While technical solutions can address some aspects, individual decision-making remains the crucial factor in mitigating these risks. 

The Gap Between Awareness and Behaviour 

Psychological models can help organizations implement more effective security measures by focusing on the gap between awareness and action. The MOA model (Motivation, Opportunity, Ability) explains that behaviour change occurs only when a threshold of these three factors is reached [3]. 

Often, people know what they should do but end up doing something different. This demonstrates that awareness alone doesn't guarantee safe behaviour. To effect real change, organizations must focus on removing barriers and ensuring that policies and interventions target behaviour directly. 

The SAFE Program: A Holistic Approach 

To bridge the gap between awareness and behaviour, we developed the SAFE Program. This initiative combines security expertise with psychological insights to drive effective behavioural changes and reduce cyber risks. The program uses various tools, including training courses, workshops, social engineering services, and crisis simulations, to address the three components of the MOA model. 

Benefits of the SAFE Program: 

• Tailored awareness and behavioural change strategies 

• Increased organizational resilience against external threats 

• Measurable improvements in information security maturity 

• Demonstrated commitment to privacy and information security 

• Reduced risk of costly incidents and reputational damage 

By investing in the SAFE Program, companies can create a more cyber-aware workforce and foster a culture of security that goes beyond compliance. This approach not only protects against potential threats but also demonstrates a proactive stance on cybersecurity to both internal and external stakeholders [4]. 

As the cyberattacks continue to become more sophisticated, organizations must prioritize the human factor in their security strategies. By focusing on behaviour change and creating a cybersecurity-safe culture, businesses can significantly improve their overall cyber resilience and better protect their valuable assets [5].