There are three things that will require your focus when establishing security and privacy arrangements within your institution: technology, awareness and organisation. In this blog series, we will take a closer look at awareness: what does awareness involve, what do we need to know about human behaviour, and how should you establish a robust awareness programme? This is the first blog in a series of eight.
The human factor: from the weakest to the strongest link
People play a key role in the cybersecurity of your organisation. The human factor is often portrayed as the weakest link and something you have to work around using technical solutions. Take your password policy, for instance: enforcing certain characters, a minimum number of characters and regularly changing them should lead to greater security. People are not easily able to remember a lot of passwords and they therefore try to make things easy for themselves by reusing passwords for multiple sites and by adding a counter when having to update a password (e.g. password1 becomes password2). Yet this does not mean that people are the weakest link; it rather means that insufficient attention has been paid to the human factor. Because given the right level of attention, they can become a strong link.
Awareness is an ongoing process
Within your organisation, you want people to be aware of the cyber threats and risks that they – and the organisation itself – face, and to act to minimise these threats. Awareness is therefore not simply informing people or telling them what to do, but an ongoing process needing structural attention in line with the perceptions of the people in question. In other words, there is no one-size-fits-all solution. People need to understand the threats, know what they can do to protect themselves and why this is important.
An awareness programme in 7 steps
In order to achieve all this, SURF has developed a roadmap to help you achieve a comprehensive awareness programme. These are the 7 steps we will be covering:
- Why: what is the reason behind the programme?
- Target group: who do you want the programme to reach?
- Target behaviour: what behavioural change do you want to see?
- Behavioural factors: which factors influence behaviour?
- Strategy: how do you intend to change the behaviour?
- Appraisal: how will you know if your actions are effective?
- Implementation: what needs to happen in concrete terms?
We will take a closer look at each of these steps in this blog series. If you don’t want to wait, you can also follow the roadmap on your own (login required).
Other blogs in this series:
- #2: Why an awareness programme?
- #3: Who are your target groups?
- #4: What is the overall aim and desired behaviour?
- #5: Factors affecting behaviour
- #6: What actions and interventions should you use to encourage the desired behaviour?
- #7: Is your programme having the desired effect?
- #8: Implementing the programme
About the authors
This series of blog posts has been created by the GÉANT Cyber Security Month team, in close collaboration with SURF.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022