People Are Not the Weakest Link in Cybersecurity

"Humans are the weakest link in cybersecurity.” A statement frequently made in the field of security, and taken for granted by many.

What has gained less attention however, is the (lack of) understanding of people that exists in the field of cybersecurity. Attempts to tackle the human factor have mainly focused on increasing awareness from cybersecurity specialists’ point of view. However, cybersecurity experts have a different motivation and different interests in this specific topic. Therefore, they tend to set up campaigns from their own point of view; sending knowledge to their target audience on what they think is important, and more dangerously, based on their own assumptions.

Interestingly, ‘people’ is as much an expertise as is ‘cybersecurity’. Strangely enough, the tendency exists to ask security experts to take care of the people part. Nevertheless, people, and more specifically their behavior, is the expertise of psychologists. How hilarious we would find the idea of asking a psychologist to build a firewall, the normal we find the idea to ask a IT specialist to influence people’s behavior.

The fact that not the people are the weakest link, but our understanding of them is, is hopeful. It gives us some control back! The solution is to be found in our understanding of the employees.

This presentation focuses on insights from psychology, and how they can be applied into the field of cybersecurity. It highlights the most interesting perspectives from psychology and shows how these can be translated into an effective awareness and behavior program.