In this guest post, Dr Vasileios Karagiannopoulos and Dr Annie Kirby, of the Centre for Cybercrime and Economic Crime at the University of Portsmouth discuss their work at the Cybercrime Awareness Clinic and how it has helped them develop a novel approach to education that mitigates the human factor in cyber breaches.
The Cybercrime Awareness Clinic is a research and innovation hub that supports individuals and organizations to build resilience to cybercrime. It was launched in early 2017 with the support and funding received from Hampshire Constabulary. Initially, the project focused on Portsmouth and the surrounding areas, conducting research and public engagement sessions with multiple stakeholders to support young people in schools and colleges, small businesses and older adults. Since then, the Clinic has become a hub for related cybercrime awareness activity and research, having worked on multiple projects funded by the national and international bodies, including the EU Commission and the National Cyber Security Centre.
The underlying philosophy behind the Clinic has always been one of grassroots multi-stakeholder collaboration, with the Clinic acting as a super node connecting the dots in a network of stakeholders that need to speak and collaborate with each other. For the Clinic, working from the ground up and empowering those on the receiving end of cyber awareness support is crucial. It enables those in need of assistance to feel more connected to the advice and support provided and offers them a sense of real involvement in the process; a sense of ownership. The combination of research and public engagement has allowed us to overcome communication barriers and understand the challenges that cyber awareness education is facing by actually speaking to the people and organizations from the bottom all the way to the top. Unless we work with the actual users and prospective victims and try to understand their needs and help them realise their vulnerabilities, we can never really get advice, support and useful tools to reach the majority of the user population. And then, we will keep hearing the usual quote that “users are the biggest problem in cybersecurity”.
The Cybercrime Challenges Organisations are Facing
According to research conducted by the Department for Digital Culture, Media & Sport, 39% of UK businesses experienced cyber attacks between 2021 and 2022. 1 in 5 organisations reported a negative outcome as a direct consequence of a cyber attack, with the most common threat vector being phishing attempts (83%). The average cost to businesses of cyber attacks was £4,200, rising to £19,400 for medium and large businesses. Deloitte’s 2023 Global Future of Cyber Survey found that 91% of organizations across the globe reported at least one cyber incident or breach, compared to 88% in 2021, with 56% reporting moderate or large consequences relating to a cyber incident, the most common negative consequences being operational disruption, loss of revenue, loss of customer trust/negative brand impact and reputational loss.
The National Cyber Security Centre (NCSC) provides ‘10 Steps to Cyber Security’ guidance for organizations, with the DCMS research finding that almost 50% of businesses and 40% of charities had taken action on at least 5 of the recommended steps. One of these steps is the engagement and training of staff, which is the topic we’re going to focus on for the remainder of this blog. Why is cybercrime awareness education for staff so important? Research consistently indicates that the human element is a contributing factor in a significant percentage of cyber events and/or breaches (95%: IBM, 2014; 74%: Verizon, 2023). Furthermore, 62% of employees admit to having made ‘email errors’ that could compromise cybersecurity (Zivver, 2022).
Educating employees not only about good cybersecurity practices but also encouraging them to recognize and reflect on their individual potential vulnerabilities to cyber attacks, is an essential part of organizational cybersecurity strategy.
Rethinking Cybersecurity Awareness
As a society, we seem to have made huge steps in the development of initiatives for cyber awareness, from charities all the way to law enforcement and government agencies. There is a wealth of advice out there for everyone, but we perform poorly at incentivising users to look for it and adopt it, and in finding ways of tailoring that advice to those needing it. Cybersecurity is too often perceived as a specialized responsibility that only ‘techies’ and big businesses can and need to care about. Cybersecurity language is often jargonistic, exacerbating these feelings and cyber awareness training initiatives are often mechanistic tick-box exercises that are rarely updated and infrequently repeated, even though we know that cybercriminals advance their tactics and techniques on a daily basis.
We need to rethink how we do cybersecurity awareness and find the balance between communicating the risks of breaches and the inevitability of a potential breach without solely resorting to scaremongering tactics that terrorize and alienate. We ought to look instead at promoting how cybersecurity hygiene can be positive and developmental for businesses and organizations, building business trust and enabling a stronger economic growth perspective. Alongside this, we need to work on finding a language for cyber awareness that is easier to digest and does not feel too technical.
A constant request in cyber awareness trainings from participants is that one-page silver bullet document with all the necessary advice that we can print and stick on a wall and forget about. But we need to realize that the way forward is not just about finding that ‘holy grail’ of documents with all necessary advice that everyone can understand and follow; mainly because such a thing does not seem to exist. Unfortunately, cybersecurity is not a “one size fits all” practice.
The starting point must be a conceptual shift that leads us to view cyber awareness as a useful everyday aspect of our lives, in the same way that we lock our home doors when we leave or we double-check for traffic and cyclists when we cross a street. Even more importantly, we have to remember that every employee is also an individual, private user. Separating the two and thinking that a user who is negligent with their personal cybersecurity can be a very cyber-conscious employee because of our one-hour online training two years ago is one of our biggest delusions; and, sadly it is one we see organizations succumb to very often, even at a high level.
How can we improve cyber awareness in the business sector?
We first need to realise that mechanistic, top-down advice cannot penetrate and users need to be involved in the co-creation of supporting processes and tools in order to feel a sense of ownership and have better understanding of the rationales and practices behind making cybersecurity an integral part of everyday business processes. More importantly, this process needs to be inclusive and interactive rather than passive; It needs to become part of the culture of an organization, a part of team building exercises maybe, rather than a tick-box compliance exercise.
Through our work with the Clinic we have taken this a step further. Cybercrime awareness education often begins and ends with educating users solely about risks and threats, but we argue this should only be the starting point. The approach developed by the clinic is more sustainable and holistic, combining risk and threat-based training with the identification and development of skills that reinforce our critical thinking, emotional awareness and resilience, with the further addition of ongoing self-reflective, personal vulnerability scanning. These intrinsic underlying skills will tackle a core element that underpins the majority of cyberattacks – their reliance on persuasion techniques to trick, induce or force users into doing something they shouldn’t or not doing something they should. This needs to be a self-conscious, reflective process of personal and organizational fortification to persuasion-based cyberattacks, where we all accept and work with the fact that our resilience and vulnerability levels are in constant flux, not just because we have or have not completed a training, but due to internal and external factors that affect our emotional state and our thought processes. We have termed this holistic approach ‘Reflective Fortification’.
Conclusion
Our experience has shown that those needing cyber awareness the most are usually the hardest to reach or incentivize, so we should always strive to find more inclusive strategies. Secondly, cyber awareness evolves constantly and develops organically in different settings. No one knows what works without experimentation and being prepared to invest the time to experiment and adapt to specific needs and desires is crucial. That is why typical exercises often fail, as they tend to be generic and boringly passive. In order to be constantly adaptive and interactive, there need to be champions in an organization on all levels, with cyber awareness as a core part of their mission, constantly feeding an inclusive organizational culture of awareness and resilience. Only by changing culture on multiple layers, can we expect a holistic shift in focus. Scaremongering and blaming rationales are obsolete and we need a more empowering, team-based and positive approaches with collaborative and constantly interactive multistakeholder structures. These rationales are crucial in order to reinforce technical security measures and tools, such as those offered by Zivver, for example, to further empower users to make better choices and avoid data losses through miscalculated judgements.
Dr Vasileios Karagiannopoulos is an Associate Professor in Cybercrime and Cybersecurity in the School of Criminology and Criminal Justice at the University of Portsmouth. He is a Co-Director of the Centre for Cybercrime and Economic Crime and the Director of the Cybercrime Awareness Clinic.
Dr Annie Kirby is a Research Fellow in the Cybercrime Awareness Clinic and the Centre for Cybercrime and Economic Crime.