Discussion about this post

User's avatar
Tim Ward's avatar

Could not agree more that behavioural science is not being thought about enough in general in the world of cyber security. But companies like Redflags (previously ThinkCyber) have been talking about this since 2017!!!

Even a basic understanding of learning science and behavioural theory will tell you that annual ELearning and phishing sims are NOT the right solutions to this problem. And have no measurable long term impact.

Taking the understanding of bias further, all decisions take place in context. So that is where we have to help people. Delivering interventions in real time, shaping choice architecture and measurably impacting behaviours.

We are seeing change. Forward thinking organisations get this and are seeing incredible measurable reductions in behavioural risk.

Expand full comment
Phil Guest's avatar

Really interesting read Ross. Got me thinking about how much regional variation shapes the way we tackle human risk. In North America it often feels a bit more compliance-driven, while in Europe there seems to be more of a science-led approach to nudging behaviour and building security awareness.

Curious if others are seeing the same thing - is this down to culture, or just timing and momentum? Either way, the way we design awareness programes is clearly shifting from tick-box training to genuine behaviour change.

Expand full comment
1 more comment...

No posts