Security Culture Eats Human Risk for Breakfast

On the 1st November 2023, I gave a talk entitled ‘Security Culture Eats Human Risk for Breakfast’ at Kocho View in London. This post covers a few key points. If you like, you may view the entire 20-minute recording of the talk embedded in this post.

Post hero image

Table of contents

Reduce your human cyber risk
Hoxhunt's adaptive security training dramatically increases engagement and security resilience.
Learn more

Culture eats strategy for breakfast  

As Peter Drucker wisely suggested, while devising the best possible strategy is always important, its execution will not succeed if the right culture isn’t in place to support it. This is as true in cybersecurity as in any other area of business – a cybersecurity strategy needs a strong security culture to succeed.

The human layer is the most vulnerable

At least 74% of cyber security breaches involve the human element – such as social engineering and phishing, weak passwords and the improper storage or sharing of data – meaning hackers exploit our very humanness in order to gain access to systems.

Cyber threats are costly

In case a reminder is in order, hackers are in it for the money. The average cost of a cyber breach in 2023 was around $4.5M, however in some cases it can be much higher. One of this year’s costliest breaches was the $100 million MGM Hotel cyberattack. This attack reportedly started with ’vishing’ – an attacker calling the IT helpdesk and impersonating an employee based on information found on LinkedIn.

How can culture impact risk?  

People largely aim to act according to the norms of their culture. In a healthy cybersecurity culture, employees are engaged and willing to learn how to protect themselves and their company, as well as vigilant and able to apply their learnings, for instance when it comes to reporting anything suspicious through the right channels.  

Creating positive security culture  

Yes, cybersecurity is a serious topic. However, if we want people across the board to truly engage with it, we need to make it fun, approachable, and personally relevant. Establishing a psychologically safe environment where mistakes are not penalised is paramount. The resulting sharing and reporting of threats – as well as any mistakes that may have been made – contributes to building resilience against cyberattacks. That is why Hoxhunt's approach involves individualised learning paths, frequent sessions, gamification, and positive reinforcement.  

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this