Editor’s note: Dr. Jessica Barker, the closing keynoter speaker at ISACA’s EuroCACS 2020 conference, to take place virtually 28-30 October, is a leader in the human nature of cybersecurity. She has been named one of the top 20 most influential women in cybersecurity in the UK and in 2017 she was awarded as one of the UK’s Tech Women 50. Barker recently visited with ISACA Now to provide her insights on the human elements of cybersecurity and how enterprises can sharpen their approach to security. The following is a transcript of the conversation:
ISACA Now: Why is it important to understand the psychology of cybersecurity?
People are at the heart of cybersecurity. From technology creation, to testing, to use (and abuse), a lot of this field is fundamentally about how people interact with technology. Fields like sociology, psychology, behavioural economics and marketing can teach us so much about people: how we think, why we behave as we do, what can motivate us and what can undermine us. This knowledge is crucial in cybersecurity because we need to engage and empower people.
ISACA Now: How much progress have you observed in organizations developing a culture of cybersecurity in recent years?
For the last couple of years, we have been part of a huge shift in how organisations regard the human side of cybersecurity. Ten years ago, companies really overlooked awareness, behaviour and culture. That has all changed. A couple of years ago, we saw organisations putting much more emphasis on cybersecurity awareness, and getting messages about cybersecurity out to their employees. Now, organisations understand that it goes much beyond awareness, and that behaviour and culture are the cornerstones of cybersecurity.
ISACA Now: What is an example of a common cybersecurity misstep you’ve noticed that organizations make in implementing their cybersecurity programs?
One of the most common missteps that organisations make is using fear to try to drive change. Cybersecurity professionals sometimes fall into the trap of thinking that they can scare people into security. Of course, we need to talk about threats. But we need to do this in a responsible and constructive way, or we will actually find that our messaging backfires: a strong fear-based message can actually lead to people engaging in less secure behaviours.
ISACA Now: How does the language of cybersecurity and messaging factor in to developing effective security programs?
The language we use to communicate cybersecurity, how we shape and deliver our messages, is so important when we are trying to develop cybersecurity programmes and encourage people to engage in them. For example, using negative and fear-based messaging can be really off-putting, and using overly technical language for non-technical audiences can lead to them feeling that the messages don’t apply to them, so they disengage. Using positive, action-orientated messaging that explains why a policy or process is so important, is much more engaging.
ISACA Now: Now that we’re in a new decade, what upcoming trends in the industry do you find most intriguing to follow?
It doesn’t matter which decade we are in: cybersecurity problems have their roots in issues we have always dealt with in society. Technology has amplified those issues, at the same time as bringing us many benefits. Threats evolve and new vulnerabilities emerge, sometimes in a very fast-paced way, but ultimately in security we are often dealing with the same fundamental issues that we have been dealing with for decades, whether that is security issues in code or social engineering attacks.