The human factor is rightly seen as a key aspect of managing cybersecurity in organisations, because many attacks take advantage of human behaviour. Awareness is often regarded as the key to managing the human factor. If we provide people with knowledge on the importance of cybersecurity and required actions, the contribution of error or oversight to cybersecurity incidents should be reduced. Psychology shows us, though, that knowledge has a limited role in guiding behaviour, and in practice the effect of awareness interventions is limited or wears off quickly. In this presentation, Wolter Pieters will discuss the limitations of awareness as a cybersecurity intervention, and argue that we need to talk about the broader and more practical concept of behaviour change instead. He will discuss theories and practical methods that help organisations take the human factor beyond awareness, including nudging, unlearning bad habits, and gamification. Afterwards the group will then propose example interventions in small groups.
Knowledge session of Wolter Pieters at Alliander
- 2023 until 2023
- Project type
- Faculty of Social Sciences
As a consequence of Wolter’s seminar, the cyber security department of Alliander changed its course on awareness. Before the seminar, the standard was to force people to do trainings when they clicked on homemade phishing emails. While now, they use a reward system for people who recognize the phishing email and report it to the security department. As Wolter has shown in his lecture, people will learn a lot more by chances on rewards, rather than avoiding punishment. This means a serious culture change within the cyber security department, as well as the whole organisation of Alliander. Changes are still being made in order to prevent cyber problems in the future.