Conversation with Isabella Corradini, social psychologist and criminologist, director of Themis Research Center and author of the book Building a Cybersecurity Culture in Organizations published by Springer (image)
By Alessia Valentini
We discuss changes imposed by the lockdown and what we can learn for cybersecurity. In fact, it is important to change the “culture” in organizations, as stated in her new book edited by Springer.
The premise is that individuals can make the difference when they are called to manage difficult situations.
Alessia Valentini. How is it possible to learn from difficult situations, such as Covid-19 pandemic, and why people behavior is so important?
Isabella Corradini. We all know the concept of resilience, which in psychology means coping adaptively with adverse situations. Individuals who successfully overcome them acquire self-awareness and create their resilience toolbox for managing future events. In this sense, they can become stronger because of their experiences. However, regardless of the emergency situation, people can make a difference.
Just think of pandemic period: rules, physical distancing, and the proper behavior that individuals are called up to adopt (like the use of mask and gloves) to prevent the transmission of coronavirus. Well, such a situation has shown that when people follow the rules strictly and behave responsibly the results are positive. At the same time, it is important people receive a proper and clear communication to behave appropriately.
We are talking in this specific situation of a health issue and of an unknown virus. But it is clear that prevention can be effective only if people are well-informed and actively involved. Hence, looking at other sectors and activities, it is clear that the human factor is a powerful mean for managing emergency situations and solving problems.
Alessia Valentini. What is the role of the human factor in Cybersecurity resilience?
Isabella Corradini. Resilience is a concept that can be analysed from an individual viewpoint, but also from an organizational one. Since organizations are made up of people and have to manage crisis events, it is evident that they should also gain from their experiences and be prepared for handling future crisis effectively. Cyberattacks and data breaches are now part of the life of individuals and businesses, so they have to change their approach and to be prepared to face them when a cyber crisis break out. Companies should consider the involvement of human factors as a strategic component, overcoming some stereotyped visions. For example, it is true that the human factor is the great “vulnerability” of security, the so-called “weakest link”. But it is also true that when properly informed and trained the human factor can become the real strong point for any organization, the real line of defense. This requires investing in employees’ preparation and considering the concept of awareness in a wide perspective: awareness is not just having information, but mobilizing cognitive and behavioral components in order to lead people to internalize and sediment changes.
Alessia Valentini. In your book you discuss the building a Cybersecurity Culture in organizations. How to foster this process?
Isabella Corradini. I have highlighted the importance of building a cybersecurity culture starting from the need of promoting a receptive and healthy environment. The question is: how can we expect that employees comply with security policies and behave responsibly when they are demotivated or too stressed? A dysfunctional work environment can therefore be an obstacle for an effective handling of cybersecurity issues. Moreover, we need to consider the building of cybersecurity culture as an ongoing process where some stages must not be neglected, such as the assessment phase to understand the security maturity of an organization in order to develop tailor-made training programmes. Since the concept of “culture” in organizations deals with employees’ beliefs, opinions, and values, an effective cybersecurity culture has to be based on their specific characteristics in terms of technologies, processes and people’ s values.
Then, we cannot forget the importance of involving different perspectives and views in this process of change. I think that for managing cybersecurity highly diverse teams should be encouraged: women, for example, can provide a different perspective on cybersecurity, since we know from the research literature that they have a different way of gauging risks. There are so many sources of inspirations that can be useful for cybersecurity!
Alessia Valentini. Why do organizations appear to be less prepared in terms of involvement of human factors?
Isabella Corradini. Cybersecurity is above all a human issue. Even though security experts say that it is necessary to invest in employees’ education, companies prefer to look at technological solutions, always available on the market but not resolutive. In this sense is not true that the more organizations spend in security, the more secure they will be, because it is important the quality of the investment, even more when we talk of training. Moreover, we cannot think that a one-off training is able to change people’s mentality. What is needed is to motivate employees and stimulate them to take part in the process and feeling responsible about it. This is why the real involvement of management is a crucial condition to avoid the failure of cybersecurity initiatives.
In short, we need to redefine the approach to cybersecurity because, as it is, cybersecurity does not work. International reports show that cyberattacks are growing and are becoming more and more sophisticated. In many cases people’s vulnerabilities are involved (e.g. phishing email, social engineering attacks). This is why employees have to be considered as an essential part of the cybersecurity strategy. Without the support of people, technological solutions are ineffective.
Alessia Valentini. What about remote working (smart working) and its related problems?
Isabella Corradini. This approach is based on flexibility and on the use of digital technologies in order to promote a better work-life balance. However, an extensive use of these technologies also increases security risks, especially when individuals lack of awareness. Just think of the Covid-19 pandemic which probably is going to change our future habits and way of working. According to WEF (World Economic Forum) the dependence on digital tools will expose us to the risks of cyberattacks.
Moreover, there is another aspect we should consider. Remote working requires a proper approach, otherwise the risk is an altered perception of working time leading people to work continuously without breaks. In addition, this type of “agile” working can produce social isolation and loneliness. All these aspects can be dangerous for workers’ health, since they feel they have to be always available. Because of the growth of this mode of work and considering that individuals use devices for their personal activities, we cannot neglect the risk of work addiction and the technostress issue.
Alessia Valentini. In conclusion, what can we do for our future in cybersecurity?
Isabella Corradini. We should learn from our experiences, consistently with the concept of resilience we discussed at the beginning of this interview. At the same time, we should recognize that sometimes our strategies are wrong, and have the courage of looking at alternatives.