a table with a laptop, notebooks, and iPad with a person holding a coffee

Cybersecurity 101 Training: How to build employee habits that prevent cyberattacks

Since the pandemic began, cyber attacks have been on the rise as hackers have exploited vulnerabilities in employees’ work from home practices. Rather than attacking large organizations or governments, which tend to have large security teams and protective software, hackers have shifted their tactics to exploit susceptibilities in employees’ privacy and security practices.1

Part of the reason for increased cyber attacks is employee negligence. Employee inattentiveness has become a more significant problem since the pandemic began, with more than half of attacks on organizations in 2021 being a direct result of employee negligence.

Address Cybersecurity On Day 1

The onboarding process is a pivotal time to set expectations and create a robust cybersecurity foundation. It also provides opportunities to strengthen an employee’s sense of belonging, which greatly reduces the likelihood of lackadaisical behavior.

Prepare against negligence with knowledge-building

There is much at stake when it comes to properly training employees: on average, attacks caused by employee or contractor negligence cost companies $484,931.2 While there are effective ways to change behavior once an employee has finished onboarding and joined the company (more on that here), the focus of this article is on the importance of creating resilience from the start. 

Research findings suggest that the most effective solution to prevent cyber attacks is to create a holistic training program that builds employees’ knowledge base about common hacking methods.3 Onboarding provides ample opportunities to improve awareness of cyber risks given every new employee must complete the same training protocols. 

Form habits from the beginning

Another challenge that arises when assigning cybersecurity training to employees who are already onboarded is that it competes with their existing habits and work obligations.4 Similarly, asking them to complete it after work hours may leave some staff unable to attend, or invite inattentiveness.5

according to one corporate training professional, fewer than 20% of employees change their habits upon coaching.

Behavioral science can tackle employee cybersecurity habits and reflexes, and you can find more on it here. A focus on training at the very beginning of someone’s tenure at a company avoids many of these pitfalls.

Promote belonging to increase security initiative

A key tenet of being able to protect information and act upon best cybersecurity practices is the level to which an employee feels engaged with the organization. Research suggests that committed employees make choices that benefit the organization and go beyond the minimum cybersecurity recommendations because they want to positively affect organizational outcomes.7 Onboarding is a key moment to enhance commitment.8

When a company fosters engagement during onboarding by treating new employees as partners in an organization and boosting their confidence, they experience more assimilation and less stress, both key factors when thinking about cyber risk.8 More broadly, those who successfully assimilate experience greater job satisfaction, higher rates of retention, and increased productivity. Conversely, those who were not onboarded well had higher turnover rates, decreased customer satisfaction, and reduced productivity. 

References

  1. Okereafor, K., & Adelaiye, O. (2020). Randomized Cyber Attack Simulation Model: A Cybersecurity Mitigation Proposal for Post COVID-19 Digital Era. 05, 61–72.
  2. 2022 Cost of Insider Threats Global Report. (2022). Proofpoint. https://www.proofpoint.com/us/resources/threat-reports/cost-of-insider-threats
  3. Greitzer, F. L., Strozer, J. R., Cohen, S., Moore, A. P., Mundie, D., & Cowley, J. (2014). Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits. 2014 IEEE Security and Privacy Workshops, 236–250. https://doi.org/10.1109/SPW.2014.39
  4. Conteh, N., & Schmick, P. (2016). Cybersecurity:risks, vulnerabilities and countermeasures to prevent social engineering attacks. International Journal of Advanced Computer Research, 6, 31–38. https://doi.org/10.19101/IJACR.2016.623006
  5. Aldawood, H., & Skinner, G. (2019). Reviewing Cyber Security Social Engineering Training and Awareness Programs—Pitfalls and Ongoing Issues. Future Internet, 11(3), 73. https://doi.org/10.3390/fi11030073
  6. Yakowicz, W. (2015, February 17). 3 Mistakes You’re Making When Coaching Employees. Inc.Com. https://www.inc.com/will-yakowicz/3-mistakes-you-make-coaching-employees.html
  7. Blau, A., Alhadeff, A., Stern, M., Stinson, S., & Wright, J. (2017). Deep Thought: A Cybersecurity Story. ideas42. https://www.ideas42.org/wp-content/uploads/2016/08/Deep-Thought-A-Cybersecurity-Story.pdf
  8. Caldwell, C., & Peters, R. (2018). New employee onboarding – psychological contracts and ethical perspectives. Journal of Management Development, 37(1), 27–39. https://doi.org/10.1108/JMD-10-2016-0202
  9. Mann, I. (2017). Hacking the Human: Social Engineering Techniques and Security Countermeasures. Routledge. https://doi.org/10.4324/9781351156882
  10. Verizon 2021 Data Breach Investigations Report. (2021). Verizon. verizon.com/dbir
  11. Iny, A., Khanna, S., Coden, M., & Struck, B. (2021). Strengthen Your Strategy with Cyber Scenarios. Boston Consulting Group & The Decision Lab. https://app.hubspot.com/documents/3834397/view/233481126?accessId=f10950
  12. Hopper, E. (2019, July 3). What Is the Elaboration Likelihood Model in Psychology? ThoughtCo. https://www.thoughtco.com/elaboration-likelihood-model-4686036
  13. Leana, C. R., & van Buren, H. J. (1999). Organizational Social Capital and Employment Practices. The Academy of Management Review, 24(3), 538–555. https://doi.org/10.2307/259141
  14. Gundu, T. (2019, May 13). Acknowledging and Reducing the Knowing and Doing Gap in Employee Cybersecurity Compliance.
  15. Kelman, H. C. (2006). Interests, Relationships, Identities: Three Central Issues for Individuals and Groups in Negotiating Their Social Environment. Annual Review of Psychology, 57(1), 1–26. https://doi.org/10.1146/annurev.psych.57.102904.190156
  16. Wiederhold, B. (2014). The Role of Psychology in Enhancing Cybersecurity. Cyberpsychology, Behavior and Social Networking, 17, 131–132. https://doi.org/10.1089/cyber.2014.1502
  17. Cleaveland, A., Newman, J. C., & Weber, S. (2020, September 24). The Art of Communicating Risk. Harvard Business Review. https://hbr.org/2020/09/the-art-of-communicating-risk
  18. Zhang, X. A., & Borden, J. (2020). How to communicate cyber-risk? An examination of behavioral recommendations in cybersecurity crises. Journal of Risk Research, 23(10), 1336–1352. https://doi.org/10.1080/13669877.2019.1646315
  19. Nurse, J. (2013, January 1). Effective Communication of Cyber Security Risks. https://www.researchgate.net/publication/274663654_Effective_Communication_of_Cyber_Security_Risks

About the Authors

Lindsey Turk's portrait

Lindsey Turk

Lindsey Turk is a Summer Content Associate at The Decision Lab. She holds a Master of Professional Studies in Applied Economics and Management from Cornell University and a Bachelor of Arts in Psychology from Boston University. Over the last few years, she’s gained experience in customer service, consulting, research, and communications in various industries. Before The Decision Lab, Lindsey served as a consultant to the US Department of State, working with its international HIV initiative, PEPFAR. Through Cornell, she also worked with a health food company in Kenya to improve access to clean foods and cites this opportunity as what cemented her interest in using behavioral science for good.

A man in a blue suit and red tie smiles while standing indoors, surrounded by office plants.

Dr. Brooke Struck

Dr. Brooke Struck is the Research Director at The Decision Lab. He is an internationally recognized voice in applied behavioural science, representing TDL’s work in outlets such as Forbes, Vox, Huffington Post and Bloomberg, as well as Canadian venues such as the Globe & Mail, CBC and Global Media. Dr. Struck hosts TDL’s podcast “The Decision Corner” and speaks regularly to practicing professionals in industries from finance to health & wellbeing to tech & AI.

A man in a blue, striped shirt smiles while standing indoors, surrounded by green plants and modern office decor.

Dan Pilat

Dan is a Co-Founder and Managing Director at The Decision Lab. He is a bestselling author of Intention - a book he wrote with Wiley on the mindful application of behavioral science in organizations. Dan has a background in organizational decision making, with a BComm in Decision & Information Systems from McGill University. He has worked on enterprise-level behavioral architecture at TD Securities and BMO Capital Markets, where he advised management on the implementation of systems processing billions of dollars per week. Driven by an appetite for the latest in technology, Dan created a course on business intelligence and lectured at McGill University, and has applied behavioral science to topics such as augmented and virtual reality.

About us

We are the leading applied research & innovation consultancy

Our insights are leveraged by the most ambitious organizations

Image

I was blown away with their application and translation of behavioral science into practice. They took a very complex ecosystem and created a series of interventions using an innovative mix of the latest research and creative client co-creation. I was so impressed at the final product they created, which was hugely comprehensive despite the large scope of the client being of the world's most far-reaching and best known consumer brands. I'm excited to see what we can create together in the future.

Heather McKee

BEHAVIORAL SCIENTIST

GLOBAL COFFEEHOUSE CHAIN PROJECT

OUR CLIENT SUCCESS

$0M

Annual Revenue Increase

By launching a behavioral science practice at the core of the organization, we helped one of the largest insurers in North America realize $30M increase in annual revenue.

0%

Increase in Monthly Users

By redesigning North America's first national digital platform for mental health, we achieved a 52% lift in monthly users and an 83% improvement on clinical assessment.

0%

Reduction In Design Time

By designing a new process and getting buy-in from the C-Suite team, we helped one of the largest smartphone manufacturers in the world reduce software design time by 75%.

0%

Reduction in Client Drop-Off

By implementing targeted nudges based on proactive interventions, we reduced drop-off rates for 450,000 clients belonging to USA's oldest debt consolidation organizations by 46%

Read Next

Notes illustration

Eager to learn about how behavioral science can help your organization?