I was running a security awareness training session for some executives of one of our customers recently, when I put up on the projector, a sample phishing email. I asked the room to identify the errors within the email that would identify it as a malicious phishing email. To the credit of the executives within the room, they were all able to spot the items within the email that identified it as a phishing email. “Excellent work,” I said, “you are all correct, so why did you all click on this email when I sent it to you?” Stunned looks greeted me. “The answer is simple, you were all busy when I sent it to you, and you needed to think consciously about whether it was a real email or a phishing email.”
In business today, we are all exceedingly busy, customers, shareholders, bosses, expectations, time-poor, distracted, or a million other reasons. Therefore, it is difficult to consciously focus on multiple tasks at once. Email has become just a simple tool that we use to communicate with others, not something that we wish to focus too much attention on.
To address the criminals who are sending out phishing emails, we need to move the awareness thought process from a conscious process to a habitual process.
The term habit is most often used to refer to a process whereby situations prompt an automatic action acquired through prior performances and learning.
Unlike consciously intended behaviour, habit-based behaviour is regulated by an impulsive processing system, and so it can be provoked with minimal conscious effort, making the avoidance of being deceived by criminal activities, much simpler.
Formation of a habit normally requires a minimum of 21 to 28 days and usually up to 8 weeks before a conscious practice can become an unconscious thought or habit. Behaviour then becomes detached from motivational or conscious control, freeing your thought resources for more demanding tasks.
Habit strength will predict the likelihood of good behaviour, avoiding the tendency to be deceived into performing unintentional human errors and placing themselves at risk.
Investment in technological and IT systems to address cyber security threats is imperative, but all businesses need to seriously consider significant investments in addressing the human risk factor, habit formation which not only increases awareness, but changes behaviour, and provides usable measurements for undertaking the appropriate controls.