SECURING FINANCIAL SERVICES
5th July 2022 • Park Plaza Victoria, London, UK
Solving the behaviour problem
How can we blend technology with behavioural science to build better security?
Psychology plus technology equals real security
Most approaches to cybersecurity focus on threats, not risk and they assume that the application of stacked technical solutions to a series of threat classes will deliver sufficient security to justify the resources devoted to that effort.
Unfortunately, the humans who develop cyber-threats continue to outrun the defenders and one reason for that is that the humans operating the increasingly digital tools businesses need to survive, whether employees or clients or third parties, can be easily tricked into undermining those technology-driven security solutions. The simplest attack vectors, such as email phishing, are still the most successful.
It is clear that the application of behavioural science to both sides of this equation is fundamental to improving cybersecurity.
So, analytics focused on user behaviour can mitigate the impact of attackers’ social engineering and cognitive hacking methods; they can identify unusual patterns of user behaviour that indicate an attack at network, asset and user levels.
In addition, behavioural analysis can be applied more directly to employees to identify current research on psychological traits and individual differences among computer system users that explain vulnerabilities to cyber security attacks and crimes. Computer system users possess different cognitive capabilities which determine their ability to counter information security threats and this opens the way to possible psychological methods to help computer system users comply with security policies and thus increase network and information security.
At a more basic level, companies need to listen to employees when they say security protocols are hard to understand; they need to listen when they are told that security is imposing unacceptable frictions on critical workflows; they need to understand that the distractions and difficulties of hybrid working are real and enduring; and they need real education and training programmes not just a once a year video course.
So how can vendors and CISOs work together to build a better model for cybersecurity and empower employees to make better decisions? This is one of the key areas of discussion at Securing Financial Services.