Social psychologist cyber security and compliance, what does that mean?
In my role as a social psychologist, I focus on the psychology of cyber security. The conversation in the field of cyber security mostly revolves around the technical parts, but people and their behaviour are often a starting point for hackers to gain access. I focus on how to make people resilient against cyber threats and attacks. Psychology is the science of behaviour, so my expertise helps to build the bridge between cyber security awareness (knowing what you should do) and actual cyber secure behaviour.
What kind of projects are you involved in?
The main part of my work involves behavioural change projects on information security. I help organisations in making sure that their employees behave safely with regard to information security. How this is done varies per customer. Because our program is based on psychology, we pay careful attention to the barrier analysis; what is currently withholding employees from the desired behaviour? Based on these identified barriers, tailored interventions are defined. Sometimes, this intervention consists of instructing people by means of trainings. But more frequently, people do know what is expected from them, but different reasons are withholding them from acting accordingly. For example, when people are not motivated, just providing more instructions will not change their behaviour. Instead, in these cases we change people’s motivation, for example by introducing a competitive element, ambassadorship or by showing the consequences of unsafe behaviour by means of a simulated attack. My job is to analyse the barriers and to define the best possible intervention to change people’s behaviour.
Why did you pursue this career?
Being interested in people is something that is in my genes. After getting a PhD in social psychology I started working for TNO in the field of Defence and Security. I have always been interested in exploring the human side of security.
What is especially unique about cyber security is that the combination with psychology is very new. Previously, the task of getting employees to understand cybersecurity measures and behave accordingly was considered a CISO’s responsibility. However, people, and their behaviour, are complex and an area of expertise on their own! At Secura we are one of the first to combine the expertise of cybersecurity with that of psychology. I really enjoy applying my scientific knowledge by making behavioural change programs that really make a difference for organisations.
Can you name a milestone in your career?
Getting my PhD was a big milestone for me personally. More specifically in my job; the first time implementing a program for a customer and proving that psychological interventions beyond just ‘sending’ knowledge really change behaviour. I also had the honour to be on stage at the ONE Conference a couple of times, the recognition of psychology on such a big cyber platform is a true milestone.
How will your industry or job change over the next few years?
The market is already shifting and starting to understand the importance of psychology in cybersecurity. Combining it effectively is still a challenge for most organisations.
Ten years ago, phishing emails and other kind of cyber threats were simpler and easier to recognize. Training people on this was effective enough. Nowadays attacks have become sophisticated, warranting a different response. That goes beyond the solution of just offering training or e-learning to increase awareness. Awareness programs are still built on the assumption that if everyone knows what they should do, they will behave accordingly. What we have seen is that having knowledge does not necessarily impact behaviour anymore.
Nobody asks a psychologist to build a firewall, but often IT personnel is expected to adequately mitigate the security risks caused by human behaviour.
Understanding people and addressing them in the right way requires the input of people specialists; psychologists. A program that offers behavioural change has a lasting effect. That starts with understanding the expected behaviour, analysing which barriers are preventing the expected behaviour and determining which intervention can take this barrier away.
In short, my profession is becoming more important, but not as a standalone specialism. Changing people to behave more secure is also not the job of psychologists only. The combination of all relevant areas of expertise is what makes an organisation cyber resilient. For example: in case people don’t use strong passwords within an organisation, this can be caused by lack of understanding how to create strong passwords or the fact that people are technically not forced to use a strong password, or the combination of both. In most cases it is the combination. The best solution is then also a combination; of psychology and IT.
Do you have any tips for up-and-coming talent?
It is always a challenge to give broad advice because there are so many paths to take. This sounds cliché, but do what interests you. For me it was the security domain and how people’s behaviour works and I have managed to combine the two. So, do what you love and love what you do! Specializing your skill into a specific domain like security makes your job even more valuable.