How behavioural psychology can help keep hackers at bay

We all know that cybercrime is on the increase, but an astonishing nine out of ten cyber security breaches are caused by end users according to the Information Commissioner’s Office (ICO). There’s plenty of cyber security training out there but most of it misses the key ingredient - behaviour change.

Mark Brown is a cyber security training expert and behavioural science specialist. He founded Psybersafe, a new cyber security training company launching in the UK this month, to help businesses get their cyber security act together as the lines between the office and home continue to blur.  

Psybersafe’s unique approach to cyber security training encourages individuals to take a hands-on, fresh look at the way we act online and uses a variety of behavioural science techniques to “nudge” us into taking better, safer actions. The training focuses on individual behaviour change and the short, easy, practical sessions cover common issues that allow hackers to easily access business systems including phishing emails, password security, the dangers of using free Wi Fi connections and the importance of changing router passwords.

The training has been rolled out in the Banking sector in Belgium and Europe and has proved successful in causing a clear change in end users’ behaviour, causing them to take action and improve IT security in the groups who went through the training.

“The way we act and behave online is the first line of defence for any cyber security system – and too many of us have bad online habits we don’t even know about,” Mark says.

With more of us than ever before working from home, we are missing all those little psychological ‘nudges’ in the office environment to remind us to be cyber safe - for example the notice saying ‘lock your machine if you leave your desk’.

Now, more than ever, the onus of responsibility for IT security must shift from the IT department to individuals to keep themselves and their employer safe from hackers.

”Employers spend a lot of money on making their systems more secure but hardly any money on training their employees in understanding how to be safe online,” he explains. “We know that behaviour change theory has been proven to work successfully in bringing about change in the areas like smoking cessation or healthy eating so we thought why not adopt the same psychology for IT security?” 

In a research survey of 2000 people using the Psybersafe training programme, the majority of individuals took action after completing their online training sessions:

• After only three short minutes episodes of training, 78% had strengthened their password
• 40% of users stated: ‘in follow-up to a Psybersafe episode, I changed the security / privacy settings of my social media.’
• 42% of people said: ‘in follow-up to a Psybersafe episode I changed the password of accounts that were shown to be breached or I deleted the accounts completely.’
• And, 95% of people said they remembered these episodes 5 months later.

“The most common entry points for hackers are phishing scams, malware, ransomware, hardware and software misconfiguration and weak passwords caused by individuals,” he says. “We all now need to understand the danger that our sloppy IT security behaviour can bring and take action to change those behaviours.”

Psybersafe’s user research has shown that by training people to take personal responsibility for keeping themselves safe can bring about a permanent change in IT habits, keep businesses and staff safe from cyber attacks and ensure that we don’t open a back door entry to criminals.