Don't Worry small and mid-sized businesses, we're looking out for you too during cyber awareness month If you own, run, or work at a small to...
Rational Choices vs. Emotional Undertones:
Navigating Human Decision Making
What are human risks in cyber security management?
To make models work, economists have needed to assume that human behavior is both rational and predictable. That theory still underpins much of how we view errors, slips, mistakes and choices in the workplace when it comes to cyber safety. But is it the only way to view human behavior when it comes to cyber risk?
Human cyber risk can be seen as losses in a business which occur through the human factor decisions and non-decisions of everyday employees.
Human risk management in information security aims at identifying employee human risk and intervening before a breach or event. Human centric cyber risk management can help an organization identify potential scenarios and determine how they can be managed.
A Comprehensive Human Risk Management
Approach Needs Deeper Metrics
As the cybersecurity landscape for businesses evolves, managing human behavior is a key challenge. Being able to understand and manage the risks posed by employees and their behaviors requires a holistic, integrated view across knowledge and cognitive areas, behavioural science, psychology, and organisational culture.
One key area to investigate is choice architecture and decision psychology, what influences employees and how we as organizations can measure these aspects deliver more impactful cyber awareness programs.
Introduction to the Complexity of Decision Making in Cybersecurity
In the realm of cybersecurity, unraveling the motivations behind a user's decision—be it clicking on a suspicious link, bypassing security protocols, or any malicious intent—is far from straightforward. It requires us to dig deeper than surface-level actions to understand the underlying systems and structures. Systems thinking provides us with a strategic perspective to see how individual decisions are influenced by larger networks, environments, and interdependencies.
This complexity can be understood through the Cynefin framework, a decision-making tool that aids in identifying how we perceive situations and how we respond in kind.
There are countless reasons, both rational and irrational, that drive individuals to make the decisions they do in the cyber realm.
Emotions, cognitive biases, cultural values, or even the mere circumstances and nature of the moment play pivotal roles.
Rational Choice vs. Emotional & Cultural Values
in Decision Making
Rational Choice Theory suggests that people choose actions based on the anticipated pros and cons of each option.
Emotional Choice Theory states that individual-level decision-making is shaped in significant ways by the interplay between people's norms, emotions, and identities.
Both can be true. Our decisions are frequently driven by emotional states, cultural values, and inherent cognitive biases. For instance, a user might ignore a security protocol not because of a calculated risk, but due to stress, a cultural norm, or a deep-seated bias against perceived barriers.
By juxtaposing these theories, we understand that while some decisions in the cybersecurity realm may appear calculated and deliberate, others are influenced by factors that are deeply emotional and culturally ingrained.
The Role of Cognitive Bias and Habit
It's important not to underestimate the power of habit and cognitive biases in influencing decisions.
Habits, formed over time through repetition, can lead to automated responses, even when faced with new threats or risks.
On the other hand, cognitive biases—like the confirmation bias where individuals favor information that confirms their existing beliefs—can blindside even the most cyber-aware individuals, leading them to overlook glaring security risks or threats.
Putting it Together
Recognizing these inherent human tendencies and juxtaposing them with rational and emotional decision-making provides a more comprehensive view of the challenges we face in fostering a secure organization.
Rational Choice Theory: Calculated Decisions
What it says:
This theory posits that humans make decisions based on rational evaluations of risk. They weigh the potential benefits against the potential costs, always aiming to protect and maximize personal gain.
In the cybersecurity realm: An employee might think, "If I use this weak password, it'll be easier for me to remember. The chance of getting hacked is low, so the benefit outweighs the cost."
The Heart's Role in Decision Making
What they say:
These theories propose that human business decisions are significantly influenced by emotions, cultural values, and biases rather than just cold, hard logic.
Emotional State: How one feels at the moment can heavily influence their choices. Fear, joy, sadness, or excitement can all sway our decisions in different directions.
Cultural Values: The culture we're raised in can shape our beliefs, values, and subsequently, our decisions. Certain behaviors may be deemed acceptable or risky based on cultural norms.
Cognitive Biases: Our brains are wired with certain shortcuts, or biases, that can skew our judgment. For example, the confirmation bias can lead us to only see the information that aligns with our pre-existing beliefs.
In the cybersecurity realm: An employee might think, "I've always shared my passwords with my teammates in the past. It feels right, and everyone does it. Plus, it makes work smoother."
Comparing the Two: Rationality Meets Emotion
Foundation: Rational theory is grounded in logic and calculated evaluations, while emotion-centric theories give weight to feelings, biases, and cultural norms.
Flexibility: Rational Choice theory tends to be more consistent, predicting that given the same set of information, individuals will make similar choices. Emotion-centric theories, however, allow for more variability based on personal biases and backgrounds.
Applicability: In some scenarios, individuals may lean more towards rational thinking (like financial decisions). In others, emotions and biases might play a larger role (like helping a friend despite the logical risks).
The Holistic Conclusion: Merging Minds & Hearts
While both theories provide valuable insights into human decision-making and human risk management itself, it's evident that no single theory (or even a combination) can comprehensively explain why people do what they do or why they make mistakes.
Especially in cybersecurity, where human error can be so consequential, it's essential to approach breaches or incidents with empathy.
Understanding that people operate within a complex web of rational thoughts, emotions, biases, and cultural values can guide organizations towards building a more effective and compassionate security culture.
Applying the Dual Lens to Your Company's Cybersecurity Awareness and Cyber Culture Program
Here's how this dual approach process can enhance and manage your company's cybersecurity awareness and information security program:
Incident Analysis: Instead of solely focusing on what went wrong technically during a breach, delve deeper. Did an employee fall for a phishing scam due to the rational conclusion that it looked legitimate, or was it an emotional reaction from urgency or fear?
Training Modules: Incorporate scenarios in cybersecurity training that address the interaction of both logical decision-making processes and emotional triggers. This comprehensive approach ensures employees are equipped to handle threats from all angles.
Policy Review: When reviewing or drafting security and human risk management policies, consider not just the logical steps for safety but also potential emotional or cultural risks or roadblocks that might deter adherence. Tailor policies to address these concerns.
Feedback Mechanisms: Encourage employees to share feedback on security processes and protocols. This process will allow you to understand their rational reservations and emotional concerns, ensuring policies and practices resonate with your team.
Awareness Campaigns: When creating campaigns, utilize stories or narratives that tap into and support both logical reasoning and emotional engagement. A compelling story can be a potent tool to drive home the critical importance of cybersecurity.
Cultural Assessment: Recognize and understand the cultural norms and values within your organization. Are there habits or practices, rooted in cultural traditions, that might pose a cybersecurity risk? Address these sensitively.
Behavioral Analysis: Invest in tools and platforms that analyze user behavior. These insights and trends, viewed through both rational and emotional lenses, can help businesses tailor interventions, rewards, and penalties that resonate with users.
By using this dual lens to view your company or organization's human centric cybersecurity and security posture now, you'll ensure a more robust, adaptable, and holistic approach that takes into account the full spectrum of human behavior and decision-making. This, in turn, leads to more resilient systems and a culture of genuine cybersecurity awareness.
Metrics: Measuring Human Risk Through Multiple Lenses
Metrics play a pivotal role in gauging the effectiveness of a cybersecurity program. Traditional metrics, such as incident counts and response times, offer a quantitative snapshot.
However, to truly grasp the intricacies of human decision-making, qualitative metrics, like employee feedback on security training or cultural assessments, should be incorporated.
A balanced approach, combining both quantitative and qualitative data, provides a richer, multi-dimensional view of your business' cybersecurity landscape.
Thinking Differently: Limitations of Current Programs
Current cybersecurity programs, often streamlined for efficiency, tend to stick at completion rates and phishing clicks. While these provide some insight, they barely scratch the surface of the emotional, cultural, and cognitive biases that influence human actions.
Achieving a deeper understanding requires a transformative shift—retooling programs and platforms to probe these areas with thoroughness and rigor. Organizations continue to struggle with gaps in delivery mechanisms and analysis capabilities in security tools that focus on behavior and more granular assessment of human factors- this restricts their security teams and leaders from accurately assessing their human cyber risk and vulnerabilities.
Using Empathy and Building a Holistic Security Culture
At the heart of effective cybersecurity lies empathy—a genuine understanding and consideration of the myriad reasons why individuals act the way they do.
Whether it's a decision stemming from cold, hard logic or one influenced by deep-seated emotions or cultural norms, recognizing and valuing these distinctions is crucial.
By fostering an environment of empathy and support, we pave the way for a holistic security posture and culture where individuals feel seen, understood, and, consequently, more committed to upholding cybersecurity policies and directives.
This not only fortifies your defenses but also enriches the organizational ethos, making it resilient in the face of ever-evolving cyber threats. If employees are our greatest strength, we can look to evolve human risk management and our quantification of both cyber threats and employee risk, to work with the best parts of natural human behavior, rather than against it.
Shine a light on your organisation's human cyber risk through Cybermaniacs unique approaches to awareness, cyber culture, and engagement. We help build cyber resiliency through our services and solutions which focus on accelerating the positive impact of cyber awareness programs and stay ahead of adverse conditions.