The Swiss Security Awareness Day took place in Bern on October 26, 2023, hosted by Switch the Swiss NREN. A much anticipated event in the Swiss cybersecurity panorama – and in my diary (!), it was sponsored by the popular Swiss internet security platform iBarry.ch. The day brought together over 120 participants from R&E and the private sector in the stunning venue of Bern Casino to listen to impressive talks, share experiences and insights and start new collaborations. I was there too.
The internet’s Swiss history
Tom Kleiber, Switch CEO, kicked things off with a journey through time. He delved into the history of the internet in Switzerland and the birth of Switch back in 1987. He shared a truth that we’ve all come to understand: technology alone can’t save us from cyber crime and we can’t control how users behave. So, what’s the solution? Security and security awareness should be woven into the very fabric of our technical infrastructure.
The human factor
Dr. Heiko Roßnagel from the Fraunhofer Institute for Industrial Engineering took the stage to explore the enigma known as the human factor in cybersecurity. He shared an experiment that simulated an engineering environment with security controls and user behaviour policies. The results? At the start, participants had a positive attitude towards policy compliance, but when pressure mounted and frustrations grew, they consciously started breaking the security policies. What’s the key takeaway? We need to make IT security risks tangible and real for users. We have to find ways to align security policies with the users’ interests and make them feel invested in security by creating an environment where they can experience cyber threats and see the impact firsthand.
Knowing is not doing
Inka Karppinen, Lead Behavioural Scientist at CybSafe, shed light on the fascinating world of behavioural science in cybersecurity. Cybersecurity training is a must, 53% of users have access to training, but only 15% actually apply it. So, what does this mean? Knowing is one thing; doing is another. Karppinen highlighted the psychological barriers that hold people back. It’s not just about awareness; it’s about changing behaviour. Cyber criminals are also behavioural science experts and use it to trick us. If we can change behaviours, we change the entire cybersecurity landscape.
Phishing as a science
Daniele Lein from ETH Zurich brought a scientific perspective to the art of phishing. He discussed the challenges of measuring education techniques and understanding how employees experience daily cyber threats. Lein’s study of 15,000 Swiss Post employees involved simulating phishing emails. The objective was to validate known mechanisms, endorse industry practices and measure the effectiveness of these simulations in different areas. Lein also measured click rates and explored how phishing vulnerabilities change over time.
Psychology of human error
Leo Niedermann from Swiss Re focused on the psychology of human error. He opened with a chilling revelation: over 80% of cybersecurity incidents result from human error. His study focusses on understanding the awareness paradox: training employees doesn’t always lead to improved performance. He emphasised that knowledge alone doesn’t change behaviour and often even the most trained employees fall victim of phishing.
Panel discussion: to click or not to click
The panel discussion, brilliantly chaired by Cornelia Puhze from Switch, delved into one of the most critical aspects of cybersecurity training—phishing simulations. Why do people click on phishing emails? Understanding the psychological factors behind this behaviour is crucial. What are the goals of organisations when they purchase phishing simulation services? How can organisations make their workforce more resilient to phishing attacks? The goal is to improve processes and create a culture of security. Organisations need to communicate clearly the objectives of their training. Is mandatory learning the right approach? If training is perceived as punitive, employees become disgruntled. It’s about finding a balance. Also, how to encourage reporting? It’s essential to simplify the reporting process and identify security champions within the organisation, provide education, theory, refreshers and allow practice.
Insights on cybersecurity awareness and training
Maria Bada, from Queen Mary University in London, shared invaluable insights into the past practices and future needs of cybersecurity awareness and training. “Minor cyber attacks occur millions of times a day, and these can be devastating for SMEs.” Criminals are adept at using persuasion techniques, behavioural sciences and the latest technologies, including AI. The human factor is pervasive, affecting business and society as a whole. Achieving robust cybersecurity is a complex challenge, requiring a balanced approach across technology, processes and people. Bada shared insights on why some cybersecurity campaigns fail and highlighted the ineffectiveness of scaremongering messages and reminded the audience that online behaviour is distinctly different from offline behaviour and added “Top management support is absolutely crucial to develop a strong cybersecurity culture”.
One resounding theme throughout the event was the importance of changing user behaviour. It’s not enough to know; you need to do. The behavioural science approach, personalisation of training, and fostering a culture of security were all highlighted as ways to drive change. It also emerged that the role of top management in promoting cybersecurity culture cannot be overstated. All speakers emphasised that cybersecurity isn’t just a technical challenge; it’s a cultural one. Top management must lead by example and take security seriously.
The event featured a series of lightning talks, each lasting ten minutes.
The presentations addressed various aspects of cybersecurity awareness: attention as a scarce resource and the effectiveness of campaigns; the importance of internal communication in security awareness; the role of trust in business and corporate disinformation risks; the potential of AI in cybersecurity awareness training and the insights from the recent security awareness survey among European NRENs under the auspices of the GÉANT Project in the lightning talk by my dear friend and colleague Davina Luyten from Belnet, the Belgian NREN.
Well done team Switch!
The Swiss Security Awareness Day event was flawlessly executed by Switch’s dynamic trio: Katja Dörlemann, who single-handedly chaired the whole event, Cornelia Puhze and Fabio Greiner! The programme was outstanding and the organisation seamless. When can I register for Swiss Security Awareness Day 2024?