Some company leaders might find it frustrating that in spite of their investments in technological tools, cybersecurity still depends a lot on individual persons. What would you say?
Vincent: I think that is a very common fallacy in the way of thinking about technology. People and technology always go hand in hand. Workplace technology generally exists to serve people, but there is a pathway for users to follow, in order to really adopt the tools and use them correctly – that also implies using them securely. In other words, there is a learning curve.
But part of learning is making mistakes. And when it comes to security, companies don’t have that luxury, though…
Vincent: Yes, that is what makes learning cyber secure behavior so tricky. You want learning experiences to be as real as possible without any of the real dangers.
Why is it not enough for an organization to organize a cybersecurity awareness training once every few months, in which you explicitly inform them of the dangers?
Vincent: Formal awareness training and especially repetition do have their utility. However, it is not very proactive. People are potentially exposed to cybersecurity risks on a daily basis. Formal trainings do not take into account that work reality, let alone the work reality of every single individual that follows the training. So why would they really care?
The solution you need to aim for is one that engages employees repeatedly and that allows them to absorb knowledge in the flow of their typical workday.
You said repetition is useful, but isn’t that also what bores people? You cannot expect mainstream employees to absorb information about security every day, can you?
Vincent: It is good that you drill down on that point. Notice I said “allow them to absorb knowledge in the flow of their typical workday”. It is the principle of ‘just-in-time’ training. Remember how we established that making mistakes is part of learning? For security learning, you need to find a way to let people make mistakes in a safe-but-real context. And when they do, that is when you provide them with the right pieces of information. It is important that you keep the pieces of information small, so they absorb it well and also not to really interrupt their workflow. Being mindful about security risks has to become part of their job in some sense, without costing them any considerable time or energy.