Collaborative research by the Adelaide Business School (ABS) is encouraging businesses to conduct a major re-think about their approach to cyber security. And it’s having a significant, positive impact on the way businesses are dealing with it: placing employee behaviour first, with software and technology firewalls a distant second.
Today’s cyber attacks are increasingly sophisticated. They can outwit a business’ most effective technological defences, easily luring innocent employees into opening unidentified emails and clicking on links. The problem is, until recently, information security research focused on computers, software, data communications and policies. While they’re important, the human impact was overlooked. Research now shows that failure by businesses to address human behavior and engage their employees as an integrated security strategy leaves them critically vulnerable to cyber attack.
ABS researchers, along with behavioural scientists from the Defence, Science and Technology Organisation formed The Human Aspects of Cyber Security (HACS) research team and created an online survey to enable businesses to measure their workers’ cyber security awareness.
The Human Aspects of Information Security Questionnaire is a simple way for businesses to examine workers’ behaviour and attitudes to cyber security. It is easily accessed by employees via a link and examines a range of different behaviours associated with password management, information handling, suspicious incident reporting, and email, internet, social media and mobile device use. Importantly, it’s helping businesses understand how and why smart, loyal employees are unknowingly violating security protocols.
As Dr. Malcolm Pattinson, ABS Senior Research Fellow, says “All it takes is for one employee to click on the wrong link or open the wrong attachment in an email and the organisation can have a major cyber security breach.”
The joint research project is providing a powerful combination that’s making major inroads in helping businesses to not only protect their IP, by avoiding the loss of stolen commercial information and damage to data, but also reducing significant work downtime and revenue loss.
Dr. Butavicius, a defence scientist in the HACS team, adds, “The HAIS-Q helps identify vulnerabilities in these human aspects that can result in problems such as sensitive and private information getting into the wrong hands.” The good news for businesses is that these issues can be readily addressed through employee education and training, and continuous communication. It’s not only a lot more cost effective than purchasing the latest hardware and software, but a few key behavioural changes will make a business considerably more secure.
The team’s research has also created an incredibly useful cyber security profile for businesses, outlining specific factors affecting this, including an employee’s age, education level, impulse control, computer familiarity and personality type. The benefit of this profiling is that it will help businesses to identify critical human risks across their business, and enable them to develop appropriate security strategies and policies to mitigate them.
To date, staff across a range of sectors have used the survey including the public service, finance, a university and members of the public. Research results are encouraging businesses to elevate the human impact on cyber security to an organization-wide initiative, and to balance their investment in technology with targeted education and workforce engagement. It’s becoming clear to businesses that when they clearly define desired behaviours, employees will understand what they need to do and why. And, better still, when their senior management practise desired behaviours, information security becomes a way of life in the workplace. As Dr. Pattinson says, “The more managers start to pay attention to these issues, the better that company-wide culture will be.” And that is definitely the business impact that the ABS and the HACS research team is aiming to achieve.