Air Traffic CISO draws on Facebook to revamp corporate security culture
Tue 2 Jun 2015
The head of cybersecurity at The National Air Traffic Service (NATS) has proposed the need for behavioural change around cybersecurity among the air control organisation’s employees – and is drawing on Facebook research to drive the initiative.
Andrew Rose was speaking at a roundtable session at InfoSec Europe 2015 in London, consisting of six leading European CISOs. The group were in agreement that the wave of recent corporate breaches have highlighted the critical task of raising cybersecurity awareness and driving behavioural change across an organisation, from the board and c-suite to the front line.
Discussing enterprise-wide cybersecurity culture, the group of security experts underlined the importance of understanding employee behaviour and tailoring department-specific messages and processes to ensure a strong security posture across all sectors of a business.
“Engineers like process,” said Rose. “They like to follow their intuition and build things that are repeatable – cybersecurity disrupts that heavily as it changes all the time.”
“We find that making the engineering teams ‘secure by default’ is a matter of ensuring that security processes reflect what they are meant to be doing at the right time. A large negotiation has to happen to make sure you are adding value to their process and not hampering or delaying them, or adding an extra complexity that they don’t need.”
Asked about how NATS measures the success of its corporate security behaviour and awareness campaigns, Rose added: “Behaviour is very difficult to measure. If someone does the right thing 99 times out of 100, and then one day when they’re under pressure, they look the wrong way or they make the wrong decision, that’s the one incident we measure.”
He said that his cybersecurity team is currently trying to draw from academic research which looks at behavioural approaches to influence a certain group of people. “We are working with a university professor from Stanford University who also works for Facebook […] He works on how to change people’s behaviour so Facebook becomes part of their daily lives.
“We have taken that model and rolled it into how we consider behaviour around security […] This help us to understand how we should adjust processes and different aspects of the environment – which of our teams need more education about the consequences of security, or about security awareness for example.”
The discussion panellists suggested that the vendor landscape around awareness and behavioural understanding is poorly populated in the cybersecurity sphere.
Bruce Hallas, founder at The Analogies Project, highlighted that UK businesses spend approximately £26bn every year to gain behavioural insight and influence customers to buy their products. He queried why this understanding is not widely used in changing behaviour and processes related to cybersecurity within enterprise.
“Over the next few years I expect to see an influx of people into the cybersecurity arena with more knowledge around behavioural economics and choice architecture – things like nudging and social science dynamics.”
“We need to take down this industry firewall and incorporate it into our cybersecurity strategies,” Hallas concluded.