Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Common pitfalls when mitigating cyber risk : Addressing socio-behavioural factors
Cyber Security: A Peer-Reviewed Journal,
8
(1),
6-23
(2024)
Abstract
Although humans constitute a pivotal dimension of the cyber security attack surface, prevailing approaches are often ineffective at addressing human risk. From the vantage point of three key socio-behavioural perspectives, a critical analysis of contemporary cyberattacks and cyber security practices offers insights and a range of opportunities to manage the human factor in cyber security. First, the role of metaphors in shaping cyber security discourse, particularly militaristic analogies, is analysed, supported by research advocating for careful metaphor selection to enhance comprehension, foster shared responsibility and reduce counterproductive assumptions. Secondly, the paper explores the significance of psychological safety within organisational cultures. It discusses the concept of a ‘just culture’ and the impact of cultivating an environment that encourages risk reporting. The discussion expands to highlight the interconnectedness of security culture with broader organisational values, emphasising the critical role of leadership in shaping resilient cyber security postures. Finally, an examination of blame-centric practices and associated consequences provides an insight into less visible forms of victim blaming, such as phishing tests and traditional training-centric strategies. It offers a psychological perspective on the distinction between blame and accountability and highlights the need for a shift away from a compliance-based focus towards a positivist approach. In presenting insights from these three key perspectives, this paper offers opportunities to innovatively manage socio-behavioural risk in cyber security, critiquing prevailing approaches that fail to do so. By linking metaphors, psychological safety and blame-centric practices, it contributes to a comprehensive understanding of the human dimension in cyber security and provides a foundation for advancing effective risk management strategies.
Keywords: cyber security culture; human factor; behavioural risks; victim blaming; cyber security metaphors; cyber resilience
The full article is available to subscribers to the journal.
Author's Biography
Öykü Işik is Professor of Digital Strategy and Cybersecurity at IMD. She studies digital resilience and the ways in which disruptive technologies challenge our society and organisations. A computer scientist by training, her recent work focuses on cyber security strategy, artificial intelligence (AI) risk and responsible AI governance for executives. Öykü serves on the World Economic Forum’s Global Future Council of Cybersecurity. At IMD she is the programme director for Cybersecurity Risk and Strategy and programme co-director for Generative AI for Business Sprint open enrolment programmes. She was named on the Thinkers50 Radar 2022 list of up-and-coming global thought leaders, and a Digital Shaper of Switzerland in 2021 and 2023.
Yanya Viskovich advises C-Suites and Boards on human security risk and cyber crisis management. She is a former cybercrime prosecutor, has trained law enforcement agencies, advised privacy regulators and served in global strategic and legal roles for multinational corporations and international organisations, including the United Nations (UN). Her expertise includes crisis management, strategising and implementing national crisis contingency plans, facilitating cyber crisis simulations and advising on cyber security risks, the human factor in cyber, legal data protection and digital ethics. Yanya is Chair of Cyber Law & Governance at the Swiss Cyber Institute, serves as an expert ethics adviser to the European Commission (EC), is a regular guest lecturer at universities in Switzerland and Europe and is a TEDx and keynote speaker. The views expressed in this article are her own and do not necessarily represent those of her employer, Accenture, or any other organisation.
Si Pavitt draws on two main pillars of expertise in his role as the head of Cyber Behaviours and Culture for Recyber: forensic psychology and professional social engineering. Si has significant experience as the former head of Cyber Awareness, Behaviours and Culture and Lead Behavioural Scientist for Vulnerability Investigations for the UK Ministry of Defence and continues to serve as an officer in the Royal Signals Regiment in a specialist advisory capacity. Si is also an active academic researcher and lecturer in the field of behavioural change through narrative engagement and gamification, with research presented at the British Psychological Society DefSec conference, Defence Psychology Symposium and Black Hat USA.
