We have all seen the Evolution of Man image, where the ape develops slowly from a hunched figure on all fours to an upright, conscious human being. Recently, I was sitting down with my children for a bit of home schooling and discussing evolution, and I began thinking about what the image means.
As the ape develops, it becomes more upright, more intelligent and more aware. As I sat and thought about the stance of the ape and what it means, I started to draw parallels with my own industry – cybersecurity – from the image.
Cybercrime and cybersecurity have both evolved hugely over the years, to the point where they are both multi-billion dollar sectors. However, my particular area of cybersecurity – security awareness – hasn’t seen the same scope of evolution, and while the tech and process sides of security have certainly developed, the people side of security has been left behind the evolutionary curve. We must push to accelerate the development of people-based security, using new technologies and ways of thinking to drive engagement and create a more aware, secure environment, if we are to truly fight back against cybercriminals.
The evolution of cybercrime
The scale of the problem is highlighted by ICO figures, which show human error to be responsible for around 90% of security incidents. This number has risen consistently over the last few years.
This is because cybercriminals have evolved. They know that attacking tech has become more and more difficult as the cybersecurity industry has developed some great tools to secure its machines. So, criminals have started to target people instead, with attack methodologies like social engineering and spear phishing increasingly popular.
Not only have their attacks evolved and re-targeted, but the cybercrime industry has also evolved massively, as has the perception of cybercriminals. No longer is a cybercriminal a lone “hacker in a hoodie” slumped over a bank of monitors, as it was once stereotyped to be. Since 2015, cybercrime has doubled its global earnings, from an estimated $3 trillion per year to over $6 trillion. Cybercrime is now an international business, with enterprises, business models and serious takings – business is booming.
Like the ape in the Evolution of Man image, the cybercrime industry has evolved into an organised criminal network – upright, conscious, aware – and is a long way from the slumped, unorganised being it once was.
How we have responded
In some ways the cybersecurity industry has responded in kind. Some amazing tools have been developed that have really countered the criminals. Companies have spent billions successfully enhancing their tech and processes to protect their organisation but protecting people has fallen by the wayside leaving them vulnerable to attack. Training tools, such as computer-based security awareness, are used to try to address this problem, but the methods used seem to have been stuck in a time vacuum and haven’t evolved over the last decade or so.
Security awareness still uses low tech methodology, with click-through exercises widely used to give scores so that a company can measure its improvement and please its auditors. But this doesn’t make their business more secure as the knowledge passed down by these methods is rarely retained by staff.
We have all been there – another training exercise taking up time in our day, or another webinar we have to attend because our passwords aren’t strong enough. We have all clicked through training exercises or glazed over as the poor member of the security team delivers another presentation.
Sympathy has go to CISOs, who have spent their own time giving talks and their department’s budget on the latest training tools, only to see security incidents caused by people still occurring. Why does this happen? Because staff aren’t engaged with security or interested in learning about it. Like the ape in the image, they switch off as soon as they start to hear or start trying to learn about security, slumped over at their desks, left unengaged.
And I can’t blame them – this dated method of learning makes me yawn just thinking about it and it is no wonder this sector of the industry is standing still.
Evolution through engagement
I have always been a storyteller and have seen the power that injecting elements of gamification and story into learning can have across multiple industries. It makes sense – we remember films or TV, songs or music because they either tell stories or have a story attached to them. Stories have a scientific structure that make them memorable and often a protagonist that the viewer roots for, and we should be applying this same science to learning in cybersecurity.
When you tie story to interactivity, where the decisions drive the story along, people really sit down and pay attention to it. They become the protagonist and see the actions and their consequences, making the experience much more memorable.
Technology is a great enabler of this. Through immersive storytelling, we can put people directly into scenarios that help them learn – whether that be going on a date with a cybercriminal that is trying to glean information from you for a targeted spear phishing attack or infiltrating the Dark Web as an agent trying to learn more about a cybercriminal’s methods of attack.
This is a far cry from the kind of cybersecurity training regularly deployed at the moment, but for too long the industry has not done enough to address people, offering dry training that isn’t engaging or memorable as the solution. This means that retention levels are extremely low, and people have become the primary target for the advanced cybercriminals we now face.
Instead of putting their staff through another iteration of computer-based click-through training, CISOs should be use storytelling and gamification to make training memorable, so that it sticks. Failing to do so will result in more and more security incidents caused by people, and the industry will never truly evolve.
Using story & technology to drive change | International Listener | Change-maker
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.