If you feel powerless to protect your data—and other peoples’—against an onslaught of cyberattacks, you’re not alone. In March, Cisco’s 2019 CISO Benchmark Study surveyed 3,259 IT security pros around the world. It found that 30% of them suffered from cyber fatigue, a condition which it describes as “having virtually given up trying to stay ahead of malicious threats and bad actors”. That’s down from 46% last year, but it still isn’t great.
Cyber fatigue kicks in when people get so sick of reading about data breaches in the headlines, so tired of hearing that everything in cybersecurity is broken, and so fed up with stern security admonishments from upper management that they throw up their hands in despair. It’s a problem that likely affects non-security pros too. They stop reading finger-wagging memos from their line managers and tune out the shrill warnings of imminent doom in the newspapers. Having turned their backs on the warnings, they leave their laptops unattended while they visit the coffee shop bathroom because it’s just more convenient.
The problem with cybersecurity conversations has a lot in common with those around climate change. People see the headlines warning that we’re killing the planet and reproach themselves without seeing how they can make any meaningful changes. Or they read that 100 companies are responsible for 71% of emissions and blame them, instead. Either way, they feel disempowered.
Can lessons learned in one sphere help in another? Psychologist and Norwegian Green Party politician Per Espen Stoknes identifies five psychological boundaries that people put up against climate change, along with five strategies to overcome them. They have a lot in common with cybersecurity:
- Distance: People feel that the effects of climate change are years away. They focus on near-term priorities like family or carer. Similarly, a data breach isn’t a clear and present danger, but the next deadline is, so employees violate security rules to get the job done.
- Doom: Stories of hopelessness breed hopelessness and inaction. People end up asking themselves: “Why bother?”
- Dissonance: We know what’s right, but doing it isn’t easy or straightforward. So we justify our actions using examples of how others don’t do it right either. “My colleague drives a Hummer/uses her dog’s name as her password. Why shouldn’t I?”
- Denial: Clamping your hands over your ears and denying a problem doesn’t exist is an easy if unsustainable option.
- Identity: The values you hold may not support the necessary actions. A free market libertarian who dislikes government controls will kick back against a carbon tax. Similarly, employees viewing themselves as rebels are unlikely to follow their managers’ cybersecurity rules.
Enough Doom Already
Espen Stoknes suggests five strategies to overcome the climate change obstacles. Could they work to combat cybersecurity fatigue too?
- Social: Use more immediate concerns to influence behaviour. Colleagues toeing the security line carry more influence than warnings about data breaches.
- Support : Stress the positive. Find things that people can do to bolster cybersecurity and make themselves feel good. Frame at least three supportive statements like these for every ominous threat.
- Simplicity : Make security the simpler choice, rather than a cumbersome barrier to getting the job done. This involves a whole conversation around combining security and usability through effective user interface and process design.
- Signal : Make cybersecurity easier to see. Find positive metrics that mean something to employees and reinforce action. How many employees passed the anti-phishing test this month compared to last month? Can you use gamification techniques like leader boards to celebrate performance?
- Story : This is perhaps the toughest strategy to map to cybersecurity. Stories that focus on a positive future are great for climate change conversations (Jane built her own house off the grid and lives blissfully eating stuff she grew in her own garden!). Equivalent cybersecurity stories have to be personal and meaningful. They could highlight how protective measures have empowered people. For example, computer newbies who became tech savvy, or “how a clean desk policy saved my work day—and my data”.
It’s difficult to turn away from tried and tested cybersecurity conversations that seem to have worked in the past, but it’s important that we do. A relentless stream of fear-mongering threats isn’t a conversation, it’s a monologue, and there’s no guarantee that the recipient is listening. A more compassionate, two-way discussion could help us solve a range of problems in cybersecurity and beyond.
Take part in the cybersecurity conversation at SecTor’s Cloud Security Summit, taking place in Toronto on Tuesday October 8. Sponsored by the Cloud Security Alliance, it gives cybersecurity experts a chance to discuss cloud security issues with leading experts in the field.