Mark Brown, founder of Psybersafe, online cyber training, talks about the influence of psychology on the way we learn in business. Businesses spend, collectively, millions of pounds on training every year. But are we sure we’re getting value for money – or that the training is having any useful impact? Sure, you get a certificate at the end, and perhaps a document with some handy tips, but does the behaviour of the learners actually change? Does anything actually change?
My business kernel came from a question posed by a colleague: How can we help our clients protect themselves against cybercrime? We were working in an innovation incubator at the time, so had the space and some funding to look into what ‘good’ training really looks like. How could we get past the tick-box exercise that corporate training often entails, and get to something that was genuinely useful?
Understanding the importance of psychology in business
With a 25-year background in the financial markets, I became interested in how psychology worked in business, and I took a degree through the Open University. This led to a deep interest in behavioural science and how we can use its models and principles to improve the way we design, deliver and measure training – particularly cyber training in my case.
The premise is simple: We know that people don’t really ‘learn’ in a single training session, or over a webinar or by following a PowerPoint presentation. They access information, and they might find out something that they didn’t know before, but they are very unlikely to do anything differently.
And yet, with something as critical as cybersecurity, it’s vital that we can change behaviours. Why? Because statistics suggest that 90% of cybercrime attacks succeed because of human error – and the criminals rely on people’s ambivalence. It’s gets them through the door. So, it’s not good enough for training to ‘tell’ people about the dangers of cyberattacks – you have to train them to think, behave and act differently.
Old habits die hard
Using psychology in training is about changing habits. In fact, we use some of the same work that is used in hard-hitting government campaigns, such as smoking or drink-driving. The fact is that our brains are primed to take the easiest route. It’s why we use passwords like ‘Password’ or pin numbers like ‘1234’. It’s easy to do, easy to remember and so why make life more difficult?
In cybersecurity terms, it’s vital for businesses of all sizes to challenge these habits and encourage people to be more secure. Not just with their passwords, but also with checking and identifying suspicious emails and texts, checking links and files before they click on them, and alerting IT departments when they are not sure about something.
That’s something that’s particularly important now that many more businesses have remote or home workers. We know that people rely on ‘prompts’ – things that help them to take action. So, in the case of security, employees are used to security passes, clocking-in tabs, reminders to lock laptops and other office-based security signals. These make them more likely to be careful with their own IT security.
When working from home, none of these signals are present – and people are working in an environment that’s very familiar and comfortable. So, it’s no surprise that security may be slipping. Without the prompts we are used to, we let our guard slip – and that’s exactly what a cybercriminal is waiting for. In fact, the whole pandemic has been a bit of a gift for phishing and ransomware scammers.
Why SMEs are often cyber targets
It’s the fact that smaller businesses are often less secure than larger organisations which makes them a target for cybercrime. SMEs should be worried about attacks – particularly ransomware. That’s because the criminals know that security might be easier to get past, and smaller companies might not think they are in danger, so behaviours are far less focused on organisational security than they should be. So instead of targeting large companies with great IT security and tough restrictions on employee access and security, they’ll go for those smaller businesses where cybersecurity just isn’t high enough up the agenda.
So, for these businesses especially, cyber training has to be about more than ‘tell’. It has to be about ‘do’. Behaviour-based training should take place over an extended period – the actual training can be short and sharp, but it should cover several months so that learners get into the habit of doing it, repeating it and putting it into practice. Lasting behaviour change requires lasting intervention.
It should also be reinforced or embedded through non-standard training methods. So, for example, we deliver our training in monthly episodes that are less than 10 minutes long. In between episodes, learners get emails that remind them about what they’ve learned, encourage them to make sure they’re putting their learning into practice and offer hints and tips on how to behave differently. This method helps to embed the learning so that it stays with the learner.
Psychology is powerful and businesses that understand it and use it have a sharper edge. By understanding how people inherently behave, businesses can manage change, improve skills and create a more motivated workforce. Businesses that ignore the lessons that behavioural science can give us are likely to experience poorer cultures, lower productivity and high staff turnover.