Year after year statistics show that 60 to 70% of cyber incidents stem from low-tech human errors, also known as the Human Factor. It is a well-known phenomenon often seen as an unsurmountable training challenge.
But is the Human Factor really the problem?
It certainly is a major cause of cybersecurity incidents. However it is actually a result; not the real problem.
See the reverse progression of consequences that make individuals a hacker's "path of least resistance" into an organization:
Recognizing the root cause of the problem is essential to finding an effective solution.
Looking at the Human Factor as the root cause of the problem (ongoing cybersecurity incidents, even when the best of technology is deployed) declares the problem nearly impossible to solve.
If however we look at the Human Factor as a result, then we can once again seek out the root cause.
For that let's look at why the Human Factor is seen as an unbeatable challenge:
For a complete cyber defensive, everyone within that system must be fully engaged in Information Assurance. Otherwise individuals become the weak links in the chain and the majority of the attacks are directed towards them.
The solution seems obvious: Train them to recognize the threats and vulnerabilities, and their role in the defensive. Yet statistics show that such efforts seem to have very little effect. Training doesn't change behavior.
The root cause of Human Factor is in fact the peoples' attachment to their way of life before cyber threats became commonplace. As of 2014, almost all of the work force (assuming they are at least 18 years of age) has grown up never having to be careful about it. Today, our old assumptions around what it means to be safe do not apply to the hyper-connected, high-tech new world. But most of us still behave as if we live in a farm in the Wild West! Information assurance best practices are received as an inconvenience at best.
The root cause of such behavior is failing to realize the magnitude of the threat.
It's simple; if one truly understands the extent of personal repercussions one can suffer, one is likely to choose to avoid it.
Even though the awareness training is deployed over and over again, why is it that most users do not connect with it? The answer is hidden in plain sight: There's a widespread resistance to any type of compliance training. Ask anyone, they will gladly tell you how much they despise going through their so-called awareness training every six months. We don't learn what we resist.
The root cause of such a negative reaction to existing training is the method of training, which is in conflict with Natural Learning principles. It is a bunch of slides full of dos and don'ts; not something they look forward to.
Convincing the individual that cyber security is essential
At the most fundamental level we truly embrace something if it's a matter of survival, or the enrichment, of the self. The deepest learning happens when such emotions are at play, and there are multi-sensory correlations, critical thinking challenges, repetition as well as a sense of accomplishment. Our training programs are carefully designed to leverage as many of these Natural Learning principles as possible, making them highly effective.
See the details of our methodology here.