The threat landscape is expanding, even though the cybersecurity community enhances the efforts to address cyberattacks. The majority of cyberattacks begin with a spear-phishing email, which is commonly used to infect organizations with ransomware. The importance of establishing a cybersecurity ecosystem has been acknowledged by all sectors. Currently, the Covid-19 pandemic has demonstrated the different dimensions that phishing attacks can take against societies. Risks can stem from unsecure networks, unsecure mobile devices, or virtual meetings. Therefore, it is essential to consider improving not just security from a technical perspective but also the resilience of employees by identifying key cybersecurity behaviours and establishing a cybersecurity culture.
The human risk factor with regards to cybersecurity has been overlooked in the past. It is challenging to tackle the human cyber-risk on a large scale in organizations and managing people’s behaviour in the ever-evolving cyber threat landscape. Many efforts towards this cause have proved ineffective because they are based on purely providing information to employees or providing them with technical solutions, which often is not relevant to them or the risks they face. A more personalized approach is needed, based on behavioral science, and understanding why employees don’t follow security-related advice. For that, organizations need to include the human factor in their cybersecurity strategy, recognizing security culture as an essential factor in implementing behavioral change.
This presentation aims to identify the current needs in industry around identification, quantification, and remediation of the human risk factor of cybersecurity. This research question is explored by investigating the current demand for effective cybersecurity awareness training programmes and tools to measure employee resilience. In addition, the current demand for a persona-centred security awareness approach and assessment is explored.